Have your say in Community Polls: What was/is your greatest motivation to start your own business?
Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

GDPR webhooks do not include HMAC

GDPR webhooks do not include HMAC

alfredoc
Tourist
19 0 3

It looks like the GDPR webhooks do not include the "x-shopify-hmac-sha256" headers, so how can we be sure the request is safe to be executed? only by knowing the shop_id, anyone can send a "shop/redact" to an known endpoint to delete the shop data...

Replies 3 (3)

O0O0
Shopify Staff
5 0 1

Hello! The `X-Shopify-Hmac-SHA256` header is always included in our `customers/redact` and `shop/redact` webhooks. Is there a specific request you've found that is missing it?

To learn more visit the Shopify Help Center or the Community Blog.

alfredoc
Tourist
19 0 3
Not exactly, is the first time the hashes do not match, so I thought the HMAC was empty... but you are right, I'm sorry, it was our mistake.
Girish_Rajwani
Shopify Partner
87 3 8

Hello ,

 

I am getting `X-Shopify-Hmac-SHA256` header blank before creating charge after auth/callback. 

 

Can you please share the proper sample code or Any link?  

 

I am stuck on this since hours 🙂

 

Thanks 

Girish | Shopify Expert  
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - My Shopify Apps: App Store | Looking for a solution to a problem in your store? Send me an email