Whats the point of App Proxy Signature verification?

Whats the point of App Proxy Signature verification?

dreadmill
Shopify Partner
8 0 1

In many examples (also the Product review app example), we can see that the app, receiving a request from Shopify through the App Proxy, verfifies it via signature hmac to make sure it comes from Shopify (correct).
However, as long as everyone can call the App Proxy URL directly, I do not get the point. Sure, the user cannot call your app endpoint directly, but by being able to call the App Proxy URL directly, any signature verification will be true always, thus, IMO pointless.

Replies 0 (0)