How do you reliably validate which shop a Webhook is for?

Shopify Partner
3 0 5

I can successfully verify the HMAC of a Webhook matching the X-Shopify-Hmac-Sha256 header against the SHA256 hash of the body -- both for private apps and for public apps.


However, the hash only hashes the body, not the id of the shop which is in the X-Shopify-Shop-Domain header.


The question then is how does one verify that the Webhook call isn't spoofed -- with a valid signature in X-Shopify-Hmac-Sha256 header and body but with a replaced shop id in X-Shopify-Shop-Domain?

Replies 0 (0)