Webhook verification process and use bcrypt in addition to sha256

Solved
Highlighted
Tourist
9 0 0

Hi Support,

 

We have created a PHP based webhook as per shopify guidelines to check order signature. Here is the code:

 

// Verifying shopify webhook order
define('SHOPIFY_APP_SECRET', 'OUR_SECRET_CODE_HERE');

function verify_webhook($data, $hmac_header)
{
  $calculated_hmac = base64_encode(hash_hmac('sha256', $data, SHOPIFY_APP_SECRET, true));
  return hash_equals($hmac_header, $calculated_hmac);
}

$hmac_header = $_SERVER['HTTP_X_SHOPIFY_HMAC_SHA256'];
$data = file_get_contents('php://input');
$verified = verify_webhook($data, $hmac_header);
Our risk assessment team reviewed the code and told that 'sha256' encryption is weak and deprecated and suggesting to use ‘bcrypt’ in addition to HMAC and provided the following URL:
 
As we are receiving signature from Shopify through webhook, is there any possibility to apply 'bcrypt' in addition to 'sha256'? Please let us know your thoughts and provide guidance on this.
0 Likes

Success.

Shopify Staff
Shopify Staff
180 7 38

For storing passwords, bcrypt is a good option. This is what the linked stackexchange article recommends. Sha256 isn't deprecated, and for HMAC based on a secretkey, the encryption isn't considered weak.

HMAC and password storage are different problems. bcrypt is designed to be purposefully slow to prevent brute force attacks, which is a poor choice for something like webhooks, when you may be processing thousands (or tens of thousands) a second.

1 Like