FROM CACHE - en_header

How do you reliably validate which shop a Webhook is for?

jne
Shopify Partner
3 0 0
‎11-24-2021 10:45 AM

How do you reliably validate which shop a Webhook is for?

I can successfully verify the HMAC of a Webhook matching the X-Shopify-Hmac-Sha256 header against the SHA256 hash of the body -- both for private apps and for public apps.

 

However, the hash only hashes the body, not the id of the shop which is in the X-Shopify-Shop-Domain header.

 

The question then is how does one verify that the Webhook call isn't spoofed -- with a valid signature in X-Shopify-Hmac-Sha256 header and body but with a replaced shop id in X-Shopify-Shop-Domain?

168 Views
0 Likes
Report
Replies 0 (0)

Community Blog Articles

circuits-on-a-whiteboard.jpg
5 Things I Wish I knew Before Starting a Business

Learn these 5 things I had to learn the hard way with starting and running my own business

By Kitana Jan 27, 2023
em_01.png
Building the perfect campaign on the Google Shopping channel - tips from Em...

Would you love to unleash the unbridled power of the Google Shopping Channel into your sho...

By Gabe Jan 6, 2023
em_01.png
How to Launch A Career With Community Forums: Talking with Emmanuel Flossie...

How can you turn a hobby into a career? That’s what Emmanuel did while working as a wa...

By Skye Dec 30, 2022
Terms of Service Privacy Policy