Shopify penetration test and mitigation

New Member
2 0 0

Hi Team


There was a pen-test that has been done to validate our e-com business and the security team found some issues. Can you suggestion how to resolve these?




Unnecessary ports open on the server

Too many open ports on the server. Understand this is a shared environment, anything we can do about this?

Possible to inject SQL queries

Users can add sql statements to forms, for example address field in shipping address

Cache control headers are not set properly

Can we set cache control to no store and pragma to no-cache?

Secure and Httponly cookie attributes are not set

Session cookies need to set to secure and httponly

My Order request can be automated to harvest customer PII data

Adding captcha to areas where login is needed

The web server contains a robots.txt file

Modify robots.txt to have non-sensitive information

CVV number is not masked on the checkout page

Can we mask ccv number during payment


Any suggestion on the above is highly appreciated


They didn't provide a whole lot of information. I don't work at Shopify, just a dev/ops nerd, so take this with a grain of salt:


1. I doubt Shopify is going to change open ports. Knowing which ports they believe need to be closed is a good start. Shopify has a lot of integrations, and the ports are likely open for a reason.

2. Do they have proof that an SQL injection is possible? That would mean they were able to read or write additional data to the server. If you have 3rd party apps that deal with shipping, they may have bugs or security issues.


Actually, all of the answers to the other problems are about the same - they should show some examples, cookies and headers are unlikely to change due to specific use cases of Shopify, etc. has some info about robots.txt. Again, you can make minor changes, but not change the file overall.


CVV I have no answer to, maybe there's an app or plugin that masks it.

Want to increase conversions or get more social media attention? Try Brisa Video Creator to quickly and easily create videos that engage your viewers!
New Member
2 0 0

Hi Andrew


Thanks for your suggestions.


The team did provide clear examples for each and every issue. I could not post them here for security reasons.

I assumed shopify is not going to do any changes at their end to satisfy a single customer's needs. But was hoping there is a work around to this.



Community Moderator
Community Moderator
2543 327 518


Just a quick update about the robot.txt file that was referenced in this post. As of today, June 21st, 2021, we have launched the ability to edit the robot.txt file to give merchants more control over the information that is crawled by search engines. You can learn more about how to edit your robot.txt file through our community post here

If you have any questions about the new feature, please do not hesitate to create a new post under our "Techincal QA" board.

Trevor | Community Moderator @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog