App reviews, troubleshooting, and recommendations
I can successfully verify the HMAC of a Webhook matching the X-Shopify-Hmac-Sha256 header against the SHA256 hash of the body -- both for private apps and for public apps.
However, the hash only hashes the body, not the id of the shop which is in the X-Shopify-Shop-Domain header.
The question then is how does one verify that the Webhook call isn't spoofed -- with a valid signature in X-Shopify-Hmac-Sha256 header and body but with a replaced shop id in X-Shopify-Shop-Domain?
Learn these 5 things I had to learn the hard way with starting and running my own business
Would you love to unleash the unbridled power of the Google Shopping Channel into your sho...
How can you turn a hobby into a career? That’s what Emmanuel did while working as a wa...