Is it safe to store sensitive information in product metafields?
I don't mean any personal or financial customer information, but only information that can be accessed by those who purchased the product.
The information I want to store in the metafields isn't free and should be safe (download links, paid tutorials, etc.).
Solved! Go to the solution
This is an accepted solution.
Metafield resources were almost always subject to hacking because originally they had zero security. Anyone with a decent scoped API key could read, write metafield resources for almost anything. Can you say problematic wild west. Some App developers went overboard and made everything a metafield, while others tried to be careful and only store valuable info there. So along came twits that would accidentally erase metafields not of their creating, ruining merchant lives!!
So Shopify got wise in a way, and now when you create a metafield, and it is scoped to your APP, other Apps cannot monkey with your metafield resource. That being said, reading a key:value pair is a Liquid thing, so sloppy Liquid could expose metafield data in order emails, etc. So the answer to your question is subtle.
Yes you can store important info in them. It is probably not wise to store customer-centric info in a product metafield though. You more likely want to save that in the customer record itself. Or even the customer order. So if a customer purchases a product, that belongs to the customer's order. Pollute the order with the product specific info. Then expose it ONLY in the customer account Liquid, where they can scan their orders, and see their products.
Just saying... if you sell 10000 people a product, you probably do not want 10000 metafield resources attached to that product. Would be kinda gnarly...