A space to discuss online store customization, theme development, and Liquid templating.
In many examples (also the Product review app example), we can see that the app, receiving a request from Shopify through the App Proxy, verfifies it via signature hmac to make sure it comes from Shopify (correct).
However, as long as everyone can call the App Proxy URL directly, I do not get the point. Sure, the user cannot call your app endpoint directly, but by being able to call the App Proxy URL directly, any signature verification will be true always, thus, IMO pointless.