A space to discuss online store customization, theme development, and Liquid templating.
To allow storefront access to my app (via app proxy), I had to create a public app – but the app is using my private app credentials to make the api calls on the server. None of the POST requests on the front-end show these credentials, but will hard-coding the credentials into my app (on the server) be a security risk? Since the app will be hosted on heroku or some other server, it seems like it should be fine, since the website client is POSTing into the server. The server runs the query to process the POST request and sends a response back to the client.
Is this is the proper way to run API requests in a private app and use the app proxy?
Solved! Go to the solution
This is an accepted solution.
Hi @gdavisdesign,
I don't see an issue with your approach. Just make sure, as you said, you're not exposing any of your credentials on the client. If your app is going to be hosted on Heroku, you can use their config vars (environment variables) to securely store and access your credentials for us in your production server.
Cheers,
To learn more visit the Shopify Help Center or the Community Blog.
This is an accepted solution.
Hi @gdavisdesign,
I don't see an issue with your approach. Just make sure, as you said, you're not exposing any of your credentials on the client. If your app is going to be hosted on Heroku, you can use their config vars (environment variables) to securely store and access your credentials for us in your production server.
Cheers,
To learn more visit the Shopify Help Center or the Community Blog.