Focuses on API authentication, access scopes, and permission management.
I understand I can create endpoints in my app (e.g. with Remix adding routes in app/routes). I watched tons of tutorials and everyone is showing to create those routes and then you can call them with javascript fetch from your shop frontend and thus accessing Shopify data.
What I wonder with all of those approaches is that it basically creates totally unsecured endpoints and anyone can check your endpoint URL in the browser and then call those endpoints and thus change data in your Shopify store.
Which I feel is a huge security issue.
I know I can slap an App Proxy before that and then check hmac and shop variables, however, this doesnt really solve anything because yes it does shield your app endpoints but still anyone can call your app proxy endpoints instead.
Is there anything I understand wrongly?