FROM CACHE - en_header

How to validate the source of a script tag

bemissmith
Tourist
10 2 4
‎05-01-2021 09:52 PM

How to validate the source of a script tag

I have a script tag that successfully retrieves the payload from my server but I can't find an acceptable method for validating the source.  There doesn't seem to be an hmac available to check against.  How can I know this is from shopify since it a) runs via front end so waf rules can't be used to whitelist the source ip b) There is no hmac to validate the source either.

I can't find any way to get this to be anywhere close to secure.  Can anyone from shopify please comment on how this should be authenticated?

Is there some way to use script tags and app proxies together to make the front end call into the back end so the hmac will be included?

201 Views
Report
Reply 1 (1)
jackcylin
Shopify Partner
17 2 6
‎11-26-2021 02:31 AM

Re: How to validate the source of a script tag

What you need is app proxy.

90 Views
0 Likes
Report

Community Blog Articles

Trevor_0-1658936764652.jpeg

How you can use PayPal to accept payments and pay your Shopify bill

Connect your PayPal account to allow your customers to checkout using the PayPal gateway a...

By shopify staff Ollie Jul 28, 2022
Ollie_0-1655835122068.jpeg

Improving your online store speed

Your online store speed can enhance your store’s discoverability, boost conversion rates a...

By shopify staff Ollie Jun 30, 2022
woman-holding-mobile-phone.jpg

Optimizing Storefront for Mobile Shopping

Shopping is at our fingertips with mobile devices. Is your theme optimized to be user-frie...

By shopify staff Holly Jun 24, 2022
Terms of Service Privacy Policy