Even if a user is authenticated, there is no assurance that they are not a malicious hacker. How can I validate the push servers from the web push subscription endpoints? Is there a white list of push servers? Is there any other approach to validation? How can I do this in Java?
We maintain and use this whitelist in production, it is still valid:
https://github.com/pushpad/known-push-services
You should connect only to the whitelisted hosts to avoid unexpected behaviors - otherwise a non response, slow response, etc. from malicious servers can degrade your services.
Then when you connect to a known / trusted host you can simply validate the HTTP status code.