FROM CACHE - en_header
New Shopify Certification now available: Liquid Storefronts for Theme Developers

GDPR webhooks do not include HMAC

alfredoc
Tourist
19 0 3
‎04-23-2020 02:57 PM

It looks like the GDPR webhooks do not include the "x-shopify-hmac-sha256" headers, so how can we be sure the request is safe to be executed? only by knowing the shop_id, anyone can send a "shop/redact" to an known endpoint to delete the shop data...

615 Views
0 Likes
Report
Replies 3 (3)
O0O0
Shopify Staff
Shopify Staff
5 0 1
‎04-23-2020 04:32 PM

Hello! The `X-Shopify-Hmac-SHA256` header is always included in our `customers/redact` and `shop/redact` webhooks. Is there a specific request you've found that is missing it?

To learn more visit the Shopify Help Center or the Community Blog.

602 Views
0 Likes
Report
In response to O0O0
alfredoc
Tourist
19 0 3
‎04-23-2020 06:26 PM
Not exactly, is the first time the hashes do not match, so I thought the HMAC was empty... but you are right, I'm sorry, it was our mistake.
586 Views
0 Likes
Report
In response to O0O0
Girish_Rajwani
Shopify Partner
76 1 7
‎06-09-2023 01:20 PM

Hello ,

 

I am getting `X-Shopify-Hmac-SHA256` header blank before creating charge after auth/callback. 

 

Can you please share the proper sample code or Any link?  

 

I am stuck on this since hours 🙂

 

Thanks 

 Girish Rajwani
 Shopify Expert
 My Shopify apps:
https://apps.shopify.com/partners/girish-rajwani

 Email: girishrajwani2022@gmail.com
 Contact: +919702526984
157 Views
0 Likes
Report
Community Browser
Terms of Service Privacy Policy