FROM CACHE - en_header

How do you reliably validate which shop a Webhook is for?

jne
Shopify Partner
3 0 0
‎11-24-2021 10:45 AM

How do you reliably validate which shop a Webhook is for?

I can successfully verify the HMAC of a Webhook matching the X-Shopify-Hmac-Sha256 header against the SHA256 hash of the body -- both for private apps and for public apps.

 

However, the hash only hashes the body, not the id of the shop which is in the X-Shopify-Shop-Domain header.

 

The question then is how does one verify that the Webhook call isn't spoofed -- with a valid signature in X-Shopify-Hmac-Sha256 header and body but with a replaced shop id in X-Shopify-Shop-Domain?

107 Views
0 Likes
Report
Replies 0 (0)

Community Blog Articles

Ollie_0-1661279629364.jpeg

Troubleshooting: Products aren't displaying in my collection

Have you created a collection on your online store and experienced an issue with adding yo...

By shopify staff Ollie Aug 24, 2022
Trevor_0-1658936764652.jpeg

How you can use PayPal to accept payments and pay your Shopify bill

Connect your PayPal account to allow your customers to checkout using the PayPal gateway a...

By shopify staff Ollie Jul 28, 2022
Ollie_0-1655835122068.jpeg

Improving your online store speed

Your online store speed can enhance your store’s discoverability, boost conversion rates a...

By shopify staff Ollie Jun 30, 2022
Terms of Service Privacy Policy