Development discussions around Shopify APIs
I'm trying to setup a web server to handle the shopify webhooks about order info and get the product Inventory info with the api.
Just like the example
To be safety,I setup some firewall rules and want to make a whitelist of the IP addresses .
so that only Shopify's server can access our server.
I try to google to find something about the IP range of Shopify, but i got nothing.
Can you help me ?
You shouldn't have to be validating that requests are coming from Shopify on the network level. Our webhook requests come with a calculated HMAC signature to verify that the request in fact came from Shopify:
Alex | Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
I know this is an old post, but @Alex, to be blunt that answer is not acceptable. People whitelist for a lot of reasons, only 1 of which might be to verify the request is coming from you. I'm running into this now with our Shopify integration and the biggest reason we want to whitelist is not to verify the shopify connection it is to AVOID ALL OTHER CONNECTIONS! Why expose a service that needs a request from 1 application to the entire world to be attacked and possibly compromised?!?
Can you confirm if Shopify still hasn't fixed this issue? It is pretty standard in the industry, even if that whitelist includes entire class-c ranges, to provide IPs for whitelisting for webhooks. The fact Shopify doesn't take this level of security seriously is very concerning.
I also would like an answer to this.
Any traction on this? This is a very basic and necessary ask. There must be a CIDR you can provide for whitelisting.
Giving this another boost. It's asinine to completely open a server up to connections from any source if there's only a need to accept Shopify webhooks.
Giving this yet another boost. Like the others have stated, it is ridiculous to not offer an updated IP range to block 99% of the internet from hitting a service that needs to come from a single source.
jI doubt this will be resolved any time soon as it seems requires some infrastructural changes for Shopify backend.
From what i have found the entire IP address space used/owned by Shopify is as follows:
Hopefully this helps someone out there
As a business owner, have you ever wondered when your customer's first impression of yo...By Skye Jun 6, 2023
We're excited to announce improvements to the threaded messaging experience in our communi...By TyW May 31, 2023
Thank you to everyone who participated in our AMA with Klaviyo. It was great to see so man...By Jacqui May 30, 2023