New threat model: cycle tracker app

[estelle]

threat model example

I didn't add any links to this yet. Want to make sure it's something we actually want to include before doing the additional work

retated to the #42980 PR

[github-actions]

Preview URLs (1 page)

• /en-US/docs/Web/Security/Threat_modeling/PWA_threat_model

Flaws (2)

Found an unexpected or unresolvable flaw? Please report it here.

URL: /en-US/docs/Web/Security/Threat_modeling/PWA_threat_model
Title: Example threat model
Flaw count: 2

• broken_links:
  • Link /en-US/docs/Web/Security/Threat_modeling doesn't resolve
  • Link /en-US/docs/Web/Security/Threat_modeling doesn't resolve

External URLs (1)

URL: /en-US/docs/Web/Security/Threat_modeling/PWA_threat_model
Title: Example threat model

• https://w3c.github.io/threat-model-web/ (1 time) (Note! This may be a new URL 👀)

(comment last updated: 2026-03-30 15:46:16)

[hamishwillee]

FWIW I would not replace the proposed threat model with this but it does not hurt to have multiple theat model examples. This could reasonably live alongside the other example OR it could be part of the Cycle tracker docs as "the threat model", not "an example". That might even be cool as a demonstration of best practise.

@estelle @Elchi3 Really up to you two to decide whether you want to do this. I'll review it in detail if you decide you want to include it.

[estelle]

FWIW I would not replace the proposed threat model with this but it does not hurt to have multiple theat model examples. This could reasonably live alongside the other example OR it could be part of the Cycle tracker docs as "the threat model", not "an example". That might even be cool as a demonstration of best practise.

Completely agree. My thoughts exactly. Either as a second (or third) example in the security area, or likely living within the PWA section when we start adding security and privacy best practices to all our content like we do a11y.

My thought as a "third" was that creating a threat model for a regular menstrual tracking app might be useful to show how threats can really be dangerous, and hilighting why the PWA is a good solution. But that kind of goes beyond MDN scope... though such an exercise might be a good way of demonstrating WHY we do threat models.

[hamishwillee]

n exercise might be a good way of demonstrating WHY we do threat models.

Yeah, there are genuine threats in this use case. Still think @Elchi3 should review first, mostly because I'm way behind on my FF docs - also because he has a much better view of threat models.