GDPR webhooks do not include HMAC

Highlighted
Tourist
19 0 3

It looks like the GDPR webhooks do not include the "x-shopify-hmac-sha256" headers, so how can we be sure the request is safe to be executed? only by knowing the shop_id, anyone can send a "shop/redact" to an known endpoint to delete the shop data...

0 Likes
Shopify Staff
Shopify Staff
5 0 1

Hello! The `X-Shopify-Hmac-SHA256` header is always included in our `customers/redact` and `shop/redact` webhooks. Is there a specific request you've found that is missing it?

0 Likes
Highlighted
Tourist
19 0 3
Not exactly, is the first time the hashes do not match, so I thought the HMAC was empty... but you are right, I'm sorry, it was our mistake.
0 Likes