Topics covering webhook creation & management, event handling, Pub/Sub, and Eventbridge, in Shopify apps.
It looks like the GDPR webhooks do not include the "x-shopify-hmac-sha256" headers, so how can we be sure the request is safe to be executed? only by knowing the shop_id, anyone can send a "shop/redact" to an known endpoint to delete the shop data...
Hello! The `X-Shopify-Hmac-SHA256` header is always included in our `customers/redact` and `shop/redact` webhooks. Is there a specific request you've found that is missing it?
To learn more visit the Shopify Help Center or the Community Blog.
Hello ,
I am getting `X-Shopify-Hmac-SHA256` header blank before creating charge after auth/callback.
Can you please share the proper sample code or Any link?
I am stuck on this since hours 🙂
Thanks
Girish | Shopify Expert
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- My Shopify Apps: App Store | Looking for a solution to a problem in your store? Send me an email