Join us for an upcoming Shopify Partner webinar on February 27, 2024. Discover the latest Checkout Extensibility features, and deep dive on improvements to Shopify Functions and Web Pixels. Register now for either the 10am EST or 2pm EST sessions.

Whats the point of App Proxy Signature verification?

dreadmill
Shopify Partner
7 0 1

In many examples (also the Product review app example), we can see that the app, receiving a request from Shopify through the App Proxy, verfifies it via signature hmac to make sure it comes from Shopify (correct).
However, as long as everyone can call the App Proxy URL directly, I do not get the point. Sure, the user cannot call your app endpoint directly, but by being able to call the App Proxy URL directly, any signature verification will be true always, thus, IMO pointless.

Replies 0 (0)