We've built an app and are using app proxy on our API on the frontend to ensure the requesting store is who they say they are via HMAC.
We've tried to do the same in Admin but it isn't working due to CORS.. (which is odd, because it's the same process as the frontend)..
Anyway, is there a best practice for ensuring that the store is authentic? currently, it seems to be quite easy for any other store to request information about any other using the api.
Is App Proxy supposed to also be used in admin?
The App Proxy is not for admin - it is used on the frontend when you want to request a URL from your server that requires authentication and/or billing.
The way this works is that the site makes a request to the App Proxy URL, and Shopify respond with a 301 redirect that contains the authentication information for you as parameters in the URL.
This means it is secure because there do not have to be any secrets in the frontend code.
Shopify know who you are, and know who the developer is, so they tell the visitor's browser where to go on the app server, along with a set of single-use credentials usable only for that request.