How do you reliably validate which shop a Webhook is for?

jne
New Member
1 0 0

I can successfully verify the HMAC of a Webhook matching the X-Shopify-Hmac-Sha256 header against the SHA256 hash of the body -- both for private apps and for public apps.

 

However, the hash only hashes the body, not the id of the shop which is in the X-Shopify-Shop-Domain header.

 

The question then is how does one verify that the Webhook call isn't spoofed -- with a valid signature in X-Shopify-Hmac-Sha256 header and body but with a replaced shop id in X-Shopify-Shop-Domain?

Replies 0 (0)