Shopify Discussion

I can successfully verify the HMAC of a Webhook matching the X-Shopify-Hmac-Sha256 header against the SHA256 hash of the body -- both for private apps and for public apps.

However, the hash only hashes the body, not the id of the shop which is in the X-Shopify-Shop-Domain header.

The question then is how does one verify that the Webhook call isn't spoofed -- with a valid signature in X-Shopify-Hmac-Sha256 header and body but with a replaced shop id in X-Shopify-Shop-Domain?