How to Prevent Manual Cart Quantity Changes v

vineela09 · ‎04-18-2025

Hi everyone,

I'm currently working on a Shopify store using a trial (non-Plus) account, and I've implemented product quantity limits through theme customizations. While this works fine through the user interface, a recent pentest revealed that it's still possible to manually modify the quantity by sending a POST request to /cart/update.js with a custom payload — completely bypassing the front-end controls.

A pentester was able to change the quantity like this:

{
"updates": {
"PRODUCT_ID": 99
}
}

This updated the cart directly, ignoring the max quantity limits we set on the product.

My Questions:

Is there any way to block or validate /cart/update.js requests on the server-side without having access to Shopify Plus or Functions?
Are there apps or workarounds that enforce limits even against manual POST requests (e.g., via webhook validations or redirecting invalid carts)?
I’m currently testing Avada Order Limits Quantity, which works well on the front end, but it seems not to fully stop these types of backend modifications. Any suggestions?

🧩Goal:
To block or reject any cart manipulation where users try to bypass quantity limits — without requiring Shopify Plus (at least for the prototype phase).
I would really appreciate advice from anyone who has faced and solved a similar issue!
Thanks in advance.

TheRealJohnDoe · ‎04-18-2025

I would also like answer to this. currently exists numerous cart manipulation tactics that have been used in our store specifically /cart/{variant-id}:1 , and unfortunately not enough mitigation tactics for non plus users.
This results in the user being able to bypass any checks in place we have on the cart page, and straight to the checkout.

if you find any solution please, post what you found here!

How to Prevent Manual Cart Quantity Changes v

How to Prevent Manual Cart Quantity Changes v

My Questions:

🧩Goal:

Community Blog Articles