Have your say in Community Polls: What was/is your greatest motivation to start your own business?
Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Re: Initial requirements - HTTPS webhook

Initial requirements - HTTPS webhook

CristiesMan1107
Tourist
12 0 2

Hi guys, 

 

We're facing this problem before submitting the app. This is the message: "Your app's HTTPS webhook endpoints must validate the HMAC digest of each request, and return an HTTP 401 (Unauthorized) response when rejecting a request that has an invalid digest". 

 

I have some questions:

1. For now, we have followed the Shopify resources. However, the message is still there. 
Do you know this testing process is automatic or manual? 

We're planning to resubmit if this process is manual.

 

2. Do you have any new resources to let us know that did we do everything right?

Below is the resource that we have followed: 

https://shopify.dev/apps/webhooks/configuration/https#verify-a-webhook

 

Happy coding,

 

 

 

Reply 1 (1)

EcomGraduates
Shopify Partner
764 67 112

This means that the webhook endpoints of your app, which use the HTTPS protocol, must verify the HMAC digest of each incoming request. If the digest is invalid, the webhook should return an HTTP 401 status code, which indicates that the request is unauthorized.

The HMAC (hash-based message authentication code) digest is a way of verifying the authenticity and integrity of a request. It is generated using a secret key that is shared between the app and the service that is sending the request. When the app receives a request, it can compute the HMAC digest of the request using the same secret key and compare it to the digest that was included in the request. If the two digests match, it indicates that the request is genuine and has not been tampered with.

If the digests do not match, it indicates that the request is not genuine and should be rejected. By requiring the webhook to validate the HMAC digest of each request and reject requests with an invalid digest, it helps ensure that the app only responds to genuine requests from trusted sources. This can help protect the app from various security threats, such as man-in-the-middle attacks and replay attacks.


 If this fixed your issue, likes and accepting as a solution are highly appreciated
|  Build an online presence with our custom-built Shopify Theme: EcomifyTheme
|  Check out our reviews: Trustpilot Reviews
|  We are Shopify Partners: EcomGraduates Shopify Partner