FROM CACHE - en_header

How do you reliably validate which shop a Webhook is for?

jne
Shopify Partner
3 0 1
‎11-24-2021 10:45 AM

I can successfully verify the HMAC of a Webhook matching the X-Shopify-Hmac-Sha256 header against the SHA256 hash of the body -- both for private apps and for public apps.

 

However, the hash only hashes the body, not the id of the shop which is in the X-Shopify-Shop-Domain header.

 

The question then is how does one verify that the Webhook call isn't spoofed -- with a valid signature in X-Shopify-Hmac-Sha256 header and body but with a replaced shop id in X-Shopify-Shop-Domain?

217 Views
0 Likes
Report
Replies 0 (0)

Community Blog Articles

Skye_0-1685651890195.png
Creating a Shopify Store: The Importance Of Choosing The Right Theme

As a business owner, have you ever wondered when your customer's first impression of yo...

By Skye Jun 6, 2023
31-54-5hg9c-2x272
Community Update! Threading Improvements

We're excited to announce improvements to the threaded messaging experience in our communi...

By TyW May 31, 2023
crowd-participating-at-event.jpg
We Answered Your Questions to Help You Get the Most Out of Your Shopify <> ...

Thank you to everyone who participated in our AMA with Klaviyo. It was great to see so man...

By Jacqui May 30, 2023
Terms of Service Privacy Policy