FROM CACHE - en_header

How do you reliably validate which shop a Webhook is for?

jne
Shopify Partner
3 0 1
‎11-24-2021 10:45 AM

I can successfully verify the HMAC of a Webhook matching the X-Shopify-Hmac-Sha256 header against the SHA256 hash of the body -- both for private apps and for public apps.

 

However, the hash only hashes the body, not the id of the shop which is in the X-Shopify-Shop-Domain header.

 

The question then is how does one verify that the Webhook call isn't spoofed -- with a valid signature in X-Shopify-Hmac-Sha256 header and body but with a replaced shop id in X-Shopify-Shop-Domain?

210 Views
0 Likes
Report
Replies 0 (0)

Community Blog Articles

31-54-5hg9c-2x272
Community Update! Threading Improvements

We're excited to announce improvements to the threaded messaging experience in our communi...

By TyW May 31, 2023
default image
We Answered Your Questions to Help You Get the Most Out of Your Shopify <> ...

Thank you to everyone who participated in our AMA with Klaviyo. It was great to see so man...

By Jacqui May 30, 2023
24-09-19241-65844.png
Introduction to Shopify Sales Channels

Photo by Marco Verch Sales channels on Shopify are various platforms where you can sell...

By Ollie May 25, 2023
Terms of Service Privacy Policy