FROM CACHE - en_header
Promotion image
Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

We're moving the community! Starting July 7, the current community will be read-only for approx. 2 weeks. You can browse content, but posting will be temporarily unavailable. Learn more

Request sign Web Pixel Fetch requests

Request sign Web Pixel Fetch requests

Mun01
Shopify Partner
4 0 0
‎03-12-2024 05:56 AM

Is it possible to do some sort of Request Signing on the fetch requests made in Web Pixels so i can verify that the source of the event is credible?. I see that Shopify does not provide access to the globals required to use crypto in a web worker as mentioned here

https://shopify.dev/docs/apps/marketing/pixels#sandbox-environments

. The issue is that it seems like the requests show up in in the network tab showing all the parts of the request meaning someone can easily figure out how to overload the server with requests.

Labels:
770 Views
0 Likes
Report
Reply 1 (1)

HishamMB
Shopify Partner
3 0 2
‎04-28-2024 11:36 AM

Hi,

 

You wouldn't want to sign on the client side (browser) because you'll have to expose your key.

 

Since the request is originating on the client side, ultimately, there's nothing you can do to prevent it from being stolen/replayed/etc.

 

That being said, and this does not solve fully address what you're concerned about, you can use the Shopify App Proxy to make requests from your Web Pixels to your store's URL under a specific path that you configure in the App Proxy. This is then forwaded to your actual server, with a signature, so you can ensure that Shopify sent it via the App Proxy. This also hides your server's actual URL.

 

Hope this sheds some lights and helps.

 

666 Views
0 Likes
Report
Terms of Service Privacy Policy