GDPR webhooks do not include HMAC

alfredoc
Tourist
19 0 3

It looks like the GDPR webhooks do not include the "x-shopify-hmac-sha256" headers, so how can we be sure the request is safe to be executed? only by knowing the shop_id, anyone can send a "shop/redact" to an known endpoint to delete the shop data...

Replies 3 (3)

O0O0
Shopify Staff
5 0 1

Hello! The `X-Shopify-Hmac-SHA256` header is always included in our `customers/redact` and `shop/redact` webhooks. Is there a specific request you've found that is missing it?

To learn more visit the Shopify Help Center or the Community Blog.

alfredoc
Tourist
19 0 3
Not exactly, is the first time the hashes do not match, so I thought the HMAC was empty... but you are right, I'm sorry, it was our mistake.
Girish_Rajwani
Shopify Partner
82 3 8

Hello ,

 

I am getting `X-Shopify-Hmac-SHA256` header blank before creating charge after auth/callback. 

 

Can you please share the proper sample code or Any link?  

 

I am stuck on this since hours 🙂

 

Thanks 

*If my answer was helpful, then please click like and accept solution
*Looking for a solution to a problem in your store? Email me at: appsbygirish@gmail.com
*My Shopify Apps: https://apps.shopify.com/partners/girish-rajwani