How do I handle service worker updates across a managed device fleet?

Use a version check endpoint that your service worker pings on activation. When a critical update is available, set a `forceUpdate` flag that triggers `registration.unregister()` followed by a page reload. For managed devices, coordinate with your MDM solution to clear browser caches during maintenance windows. Avoid `skipWaiting()` in enterprise contexts — it can cause partial UI updates that confuse users.

What IndexedDB quota limits should I expect on enterprise devices?

Most browsers allocate 50-80% of available disk space to web storage, but enterprise MDM policies can reduce this to as low as 50MB. Chrome on managed Windows devices often has group policies that limit storage. Implement a storage quota check on app startup using `navigator.storage.estimate()` and degrade gracefully when available space is insufficient for your offline data requirements.

How do I integrate PWA offline capabilities with enterprise SSO providers?

Store refresh tokens in IndexedDB (encrypted via Web Crypto API), not in cookies or localStorage. When the service worker intercepts a request and the access token is expired, attempt a silent refresh. If the refresh fails (offline or token expired), queue the request in the sync queue and redirect the user to the SSO login page when connectivity returns. SAML-based SSO requires online authentication — design your offline mode to work with cached data only.

Should enterprise PWAs use Workbox or custom service worker code?

Use Workbox for static asset caching strategies (precaching, runtime caching with defined strategies). Write custom code for enterprise-specific concerns: encrypted storage, auth token management, and sync queue processing. Workbox's `workbox-background-sync` is a reasonable starting point for offline queueing but typically needs customization for conflict resolution and audit logging requirements.

Progressive Web Apps Best Practices for Enterprise Teams

Progressive Web Apps in enterprise environments face constraints that consumer PWAs rarely encounter: strict content security policies, managed device fleets, integration with identity providers, and compliance requirements that govern how offline data is stored. These best practices address the specific challenges enterprise teams encounter when shipping PWAs to production.

Service Worker Lifecycle Management

Enterprise applications require predictable update cycles. Aggressive service worker caching that silently serves stale content is unacceptable when regulatory dashboards or financial data is involved.

Implement Version-Aware Cache Busting

typescript

1// sw.ts

2const CACHE_VERSION = 'v2.4.1';

3const CACHE_NAME = `app-${CACHE_VERSION}`;

5const PRECACHE_URLS = [

6 '/',

7 '/index.html',

8 '/styles/main.css',

9 '/scripts/app.js',

10];

12self.addEventListener('install', (event: ExtendableEvent) => {

13 event.waitUntil(

14 caches.open(CACHE_NAME).then(cache => cache.addAll(PRECACHE_URLS))

15 );

16 // Skip waiting only in non-critical environments

17 // Enterprise: let the user explicitly trigger activation

18});

20self.addEventListener('activate', (event: ExtendableEvent) => {

21 event.waitUntil(

22 caches.keys().then(keys =>

23 Promise.all(

24 keys

25 .filter(key => key.startsWith('app-') && key !== CACHE_NAME)

26 .map(key => caches.delete(key))

27 )

28 )

29 );

30});

Force Update for Critical Patches

Enterprise teams need the ability to bypass the service worker cache for security patches:

typescript

1// In your main application code

2async function checkForCriticalUpdate(): Promise<boolean> {

3 const response = await fetch('/api/version', { cache: 'no-store' });

4 const { version, forceUpdate } = await response.json();

6 if (forceUpdate) {

7 const registration = await navigator.serviceWorker.getRegistration();

8 if (registration) {

9 await registration.unregister();

10 window.location.reload();

11 }

12 return true;

13 }

14 return false;

15}

17// Run on app startup

18checkForCriticalUpdate();

Offline-First Data Strategies

Implement Conflict Resolution for Multi-User Scenarios

Enterprise PWAs often involve multiple users editing shared resources. Design your offline sync with explicit conflict resolution:

typescript

1interface SyncQueueItem {

2 id: string;

3 entity: string;

4 operation: 'create' | 'update' | 'delete';

5 payload: Record<string, unknown>;

6 timestamp: number;

7 userId: string;

8 retryCount: number;

11class OfflineSyncManager {

12 private db: IDBDatabase;

13 private readonly MAX_RETRIES = 3;

15 async queueOperation(item: Omit<SyncQueueItem, 'id' | 'retryCount'>): Promise<void> {

16 const tx = this.db.transaction('syncQueue', 'readwrite');

17 await tx.objectStore('syncQueue').add({

18 ...item,

19 id: crypto.randomUUID(),

20 retryCount: 0,

21 });

22 }

24 async processSyncQueue(): Promise<SyncResult[]> {

25 const tx = this.db.transaction('syncQueue', 'readonly');

26 const items: SyncQueueItem[] = await this.getAllFromStore(tx.objectStore('syncQueue'));

27 const results: SyncResult[] = [];

29 // Process in chronological order

30 items.sort((a, b) => a.timestamp - b.timestamp);

32 for (const item of items) {

33 try {

34 const response = await fetch(`/api/${item.entity}`, {

35 method: this.operationToMethod(item.operation),

36 headers: {

37 'Content-Type': 'application/json',

38 'X-Client-Timestamp': String(item.timestamp),

39 },

40 body: JSON.stringify(item.payload),

41 });

43 if (response.status === 409) {

44 // Conflict — let the server's version win or prompt user

45 const serverVersion = await response.json();

46 results.push({ item, status: 'conflict', serverVersion });

47 } else if (response.ok) {

48 await this.removeFromQueue(item.id);

49 results.push({ item, status: 'synced' });

50 }

51 } catch (error) {

52 if (item.retryCount >= this.MAX_RETRIES) {

53 results.push({ item, status: 'failed' });

54 } else {

55 await this.incrementRetry(item.id);

56 }

57 }

58 }

59 return results;

60 }

62 private operationToMethod(op: string): string {

63 return { create: 'POST', update: 'PUT', delete: 'DELETE' }[op] ?? 'POST';

64 }

65}

Encrypt Sensitive Offline Data

Enterprise compliance often requires encryption of locally cached data:

typescript

1class EncryptedStorage {

2 private key: CryptoKey | null = null;

4 async initialize(userPassword: string): Promise<void> {

5 const encoder = new TextEncoder();

6 const keyMaterial = await crypto.subtle.importKey(

7 'raw',

8 encoder.encode(userPassword),

9 'PBKDF2',

10 false,

11 ['deriveKey'],

12 );

14 this.key = await crypto.subtle.deriveKey(

15 {

16 name: 'PBKDF2',

17 salt: encoder.encode('enterprise-pwa-salt'),

18 iterations: 100000,

19 hash: 'SHA-256',

20 },

21 keyMaterial,

22 { name: 'AES-GCM', length: 256 },

23 false,

24 ['encrypt', 'decrypt'],

25 );

26 }

28 async store(key: string, data: unknown): Promise<void> {

29 if (!this.key) throw new Error('Storage not initialized');

31 const iv = crypto.getRandomValues(new Uint8Array(12));

32 const encoded = new TextEncoder().encode(JSON.stringify(data));

33 const encrypted = await crypto.subtle.encrypt(

34 { name: 'AES-GCM', iv },

35 this.key,

36 encoded,

37 );

39 const tx = this.db.transaction('encrypted', 'readwrite');

40 await tx.objectStore('encrypted').put({

41 key,

42 iv: Array.from(iv),

43 data: Array.from(new Uint8Array(encrypted)),

44 });

45 }

46}

Performance Budgets for Enterprise Networks

Enterprise networks often have proxy servers, VPN overhead, and traffic inspection that add 50-200ms of latency. Set performance budgets accordingly:

typescript

1// performance-budget.ts

2const ENTERPRISE_BUDGETS = {

3 firstContentfulPaint: 2500, // ms (consumer: 1500ms)

4 largestContentfulPaint: 4000, // ms (consumer: 2500ms)

5 totalBlockingTime: 300, // ms

6 cumulativeLayoutShift: 0.1,

7 totalBundleSize: 500_000, // bytes (gzipped)

8 serviceWorkerInstallTime: 3000, // ms

9};

11class PerformanceMonitor {

12 observe(): void {

13 const observer = new PerformanceObserver((list) => {

14 for (const entry of list.getEntries()) {

15 if (entry.entryType === 'largest-contentful-paint') {

16 const lcp = entry.startTime;

17 if (lcp > ENTERPRISE_BUDGETS.largestContentfulPaint) {

18 this.reportBudgetViolation('LCP', lcp, ENTERPRISE_BUDGETS.largestContentfulPaint);

19 }

20 }

21 }

22 });

23 observer.observe({ type: 'largest-contentful-paint', buffered: true });

24 }

26 private reportBudgetViolation(metric: string, actual: number, budget: number): void {

27 navigator.sendBeacon('/api/performance', JSON.stringify({

28 metric,

29 actual: Math.round(actual),

30 budget,

31 userAgent: navigator.userAgent,

32 connectionType: (navigator as any).connection?.effectiveType,

33 }));

34 }

35}

Content Security Policy Integration

Enterprise PWAs must work within strict CSP headers. Configure your service worker to respect CSP:

typescript

1// Avoid eval() and inline scripts in service workers

2// Use importScripts() for external dependencies

4// In your HTTP headers:

5// Content-Security-Policy: default-src 'self';

6// script-src 'self' 'wasm-unsafe-eval';

7// connect-src 'self' https://api.example.com;

8// worker-src 'self';

10// Service worker fetch handler that respects CSP

11self.addEventListener('fetch', (event: FetchEvent) => {

12 const url = new URL(event.request.url);

14 // Only cache same-origin requests

15 if (url.origin !== self.location.origin) {

16 return; // Let the browser handle cross-origin requests normally

17 }

19 event.respondWith(

20 caches.match(event.request).then(cached => {

21 if (cached) return cached;

22 return fetch(event.request).then(response => {

23 // Only cache successful, same-origin responses

24 if (response.ok && response.type === 'basic') {

25 const clone = response.clone();

26 caches.open(CACHE_NAME).then(cache => cache.put(event.request, clone));

27 }

28 return response;

29 });

30 })

31 );

32});

Need a second opinion on your mobile/frontend architecture?

I run free 30-minute strategy calls for engineering teams tackling this exact problem.

Book a Free Call

Authentication and Token Management

Enterprise SSO integration requires careful token handling in service workers:

typescript

1class AuthTokenManager {

2 private tokenRefreshPromise: Promise<string> | null = null;

4 async getValidToken(): Promise<string> {

5 const token = await this.getStoredToken();

6 if (token && !this.isExpired(token)) {

7 return token.accessToken;

8 }

10 // Deduplicate concurrent refresh requests

11 if (!this.tokenRefreshPromise) {

12 this.tokenRefreshPromise = this.refreshToken().finally(() => {

13 this.tokenRefreshPromise = null;

14 });

15 }

16 return this.tokenRefreshPromise;

17 }

19 private async refreshToken(): Promise<string> {

20 const refreshToken = await this.getRefreshToken();

21 const response = await fetch('/auth/refresh', {

22 method: 'POST',

23 headers: { 'Content-Type': 'application/json' },

24 body: JSON.stringify({ refreshToken }),

25 });

27 if (!response.ok) {

28 // Redirect to login — broadcast to all clients

29 const clients = await (self as unknown as ServiceWorkerGlobalScope).clients.matchAll();

30 clients.forEach(client => client.postMessage({ type: 'AUTH_REQUIRED' }));

31 throw new Error('Token refresh failed');

32 }

34 const data = await response.json();

35 await this.storeToken(data);

36 return data.accessToken;

37 }

38}

Checklist

Anti-Patterns to Avoid

Cache-everything strategy: Enterprise data changes frequently and stale cache causes compliance issues. Use network-first for API calls and cache-first only for static assets.

Ignoring managed device constraints: Corporate MDM solutions may restrict IndexedDB quota, disable service workers, or block Web Crypto API. Test on managed device profiles, not just developer machines.

Storing PII in Cache API: The Cache API stores data unencrypted. Use IndexedDB with Web Crypto for any personally identifiable information that must be available offline.

Silent background sync: Enterprise users and compliance teams need visibility into what data is synced. Provide a sync status UI and audit trail for all offline operations.

Conclusion

Enterprise PWAs succeed when they respect the constraints of corporate IT environments rather than fighting them. Service worker lifecycle management, encrypted offline storage, and CSP compliance are not optional features — they are prerequisites for enterprise deployment approval.

The most common failure mode is building a consumer-grade PWA and attempting to retrofit enterprise requirements. Start with the assumption that your service worker will operate behind a corporate proxy, your IndexedDB will be quota-limited, and your users will need audit trails for offline actions. Design for these constraints from the beginning, and the result is a PWA that enterprise security teams approve rather than block.

FAQ

Need expert help?

Building with mobile/frontend?

I help teams ship production-grade systems. From architecture review to hands-on builds.

Book a Free Call Send a Brief

pwa service-workers offline-first web-performance enterprise best-practices

Muneer Puthiya Purayil

SaaS Architect & AI Systems Engineer. 10+ years shipping production infrastructure across fintech, automotive, e-commerce, and healthcare.

View Portfolio Book a Call

← Previous

Service Worker Lifecycle Management

Implement Version-Aware Cache Busting

Force Update for Critical Patches

Offline-First Data Strategies

Implement Conflict Resolution for Multi-User Scenarios

Encrypt Sensitive Offline Data

Performance Budgets for Enterprise Networks

Content Security Policy Integration

Authentication and Token Management

Checklist

Anti-Patterns to Avoid

Conclusion

FAQ

Building with mobile/frontend?

Progressive Web Apps Best Practices for Startup Teams

Progressive Web Apps at Scale: Lessons from Production

How to Build Progressive Web Apps Using Nextjs

Progressive Web Apps at Scale: Lessons from Production

Progressive Web Apps Best Practices for Startup Teams

Start aConversation.

Start a
Conversation.