FROM CACHE - en_header
Promotion image

How do you reliably validate which shop a Webhook is for?

How do you reliably validate which shop a Webhook is for?

jne
Shopify Partner
8 0 12
‎11-24-2021 10:45 AM

I can successfully verify the HMAC of a Webhook matching the X-Shopify-Hmac-Sha256 header against the SHA256 hash of the body -- both for private apps and for public apps.

 

However, the hash only hashes the body, not the id of the shop which is in the X-Shopify-Shop-Domain header.

 

The question then is how does one verify that the Webhook call isn't spoofed -- with a valid signature in X-Shopify-Hmac-Sha256 header and body but with a replaced shop id in X-Shopify-Shop-Domain?

431 Views
0 Likes
Report
Replies 0 (0)

Community Blog Articles

shopp-e-1741972742895593780274096851.png
Canadian merchants: Update account details by March 24, 2025 to continue us...

Shopify and our financial partners regularly review and update verification requiremen...

By Jacqui Mar 14, 2025
Shopify_0-1741780029041.png
New learning path from Shopify Academy: How to create a digital marketing s...

Unlock the potential of marketing on your business growth with Shopify Academy's late...

By Shopify Mar 12, 2025
CRO-Community-Promo.jpg
Expert insights on conversion rate optimization (CRO) from Shopify Academy ...

Learn how to increase conversion rates in every stage of the customer journey by enroll...

By Shopify Mar 5, 2025
Terms of Service Privacy Policy