Shopify APIs and SDKs

ryu_hi · ‎10-18-2017

Hi

I'm trying to setup a web server to handle the shopify webhooks about order info and get the product Inventory info with the api.

Just like the example

https://87fab92e6eb3b6fa8f3cXXXXXXX:fee4da98de136cad33a2dXXXXXXXX@classico-inc.myshopify.com/admin/v...

To be safety,I setup some firewall rules and want to make a whitelist of the IP addresses .
so that only Shopify's server can access our server.

I try to google to find something about the IP range of Shopify, but i got nothing.

Can you help me ?

Alex · ‎10-18-2017

Hey there,

You shouldn't have to be validating that requests are coming from Shopify on the network level. Our webhook requests come with a calculated HMAC signature to verify that the request in fact came from Shopify:

https://help.shopify.com/api/getting-started/webhooks#verify-webhook

Cheers.

Alex | Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog

Dango19 · ‎06-08-2020

I know this is an old post, but @Alex, to be blunt that answer is not acceptable. People whitelist for a lot of reasons, only 1 of which might be to verify the request is coming from you. I'm running into this now with our Shopify integration and the biggest reason we want to whitelist is not to verify the shopify connection it is to AVOID ALL OTHER CONNECTIONS! Why expose a service that needs a request from 1 application to the entire world to be attacked and possibly compromised?!?

Can you confirm if Shopify still hasn't fixed this issue? It is pretty standard in the industry, even if that whitelist includes entire class-c ranges, to provide IPs for whitelisting for webhooks. The fact Shopify doesn't take this level of security seriously is very concerning.

hpkm · ‎10-03-2020

@Alex Can you please provide an answer?

Josh_Wold1 · ‎10-08-2020

I also would like an answer to this.

bemissmith · ‎04-28-2021

Any traction on this? This is a very basic and necessary ask. There must be a CIDR you can provide for whitelisting.

thiswillendwell · ‎06-07-2021

Giving this another boost. It's asinine to completely open a server up to connections from any source if there's only a need to accept Shopify webhooks.

G_W24 · ‎07-08-2021

Giving this yet another boost. Like the others have stated, it is ridiculous to not offer an updated IP range to block 99% of the internet from hitting a service that needs to come from a single source.

chenster · ‎07-08-2021

jI doubt this will be resolved any time soon as it seems requires some infrastructural changes for Shopify backend.

Cartoo

plunk85 · ‎03-13-2023

From what i have found the entire IP address space used/owned by Shopify is as follows:

23.227.32.1/19

Hopefully this helps someone out there

Shopify APIs and SDKs

Can you tell me the IP address range of the Shopify api or the Shopify wehook servers

Community Blog Articles

Shopify Community

Support

Shopify

Quick Links