App reviews, troubleshooting, and recommendations
I can successfully verify the HMAC of a Webhook matching the X-Shopify-Hmac-Sha256 header against the SHA256 hash of the body -- both for private apps and for public apps.
However, the hash only hashes the body, not the id of the shop which is in the X-Shopify-Shop-Domain header.
The question then is how does one verify that the Webhook call isn't spoofed -- with a valid signature in X-Shopify-Hmac-Sha256 header and body but with a replaced shop id in X-Shopify-Shop-Domain?
As a business owner, have you ever wondered when your customer's first impression of yo...
By Skye Jun 6, 2023We're excited to announce improvements to the threaded messaging experience in our communi...
By TyW May 31, 2023Thank you to everyone who participated in our AMA with Klaviyo. It was great to see so man...
By Jacqui May 30, 2023