Topics covering webhook creation & management, event handling, Pub/Sub, and Eventbridge, in Shopify apps.
Hi Support,
We have created a PHP based webhook as per shopify guidelines to check order signature. Here is the code:
// Verifying shopify webhook order define('SHOPIFY_APP_SECRET', 'OUR_SECRET_CODE_HERE'); function verify_webhook($data, $hmac_header) { $calculated_hmac = base64_encode(hash_hmac('sha256', $data, SHOPIFY_APP_SECRET, true)); return hash_equals($hmac_header, $calculated_hmac); } $hmac_header = $_SERVER['HTTP_X_SHOPIFY_HMAC_SHA256']; $data = file_get_contents('php://input'); $verified = verify_webhook($data, $hmac_header);Our risk assessment team reviewed the code and told that 'sha256' encryption is weak and deprecated and suggesting to use ‘bcrypt’ in addition to HMAC and provided the following URL:
Solved! Go to the solution
This is an accepted solution.
For storing passwords, bcrypt is a good option. This is what the linked stackexchange article recommends. Sha256 isn't deprecated, and for HMAC based on a secretkey, the encryption isn't considered weak.
HMAC and password storage are different problems. bcrypt is designed to be purposefully slow to prevent brute force attacks, which is a poor choice for something like webhooks, when you may be processing thousands (or tens of thousands) a second.
Shayne | Developer Advocate @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog
This is an accepted solution.
For storing passwords, bcrypt is a good option. This is what the linked stackexchange article recommends. Sha256 isn't deprecated, and for HMAC based on a secretkey, the encryption isn't considered weak.
HMAC and password storage are different problems. bcrypt is designed to be purposefully slow to prevent brute force attacks, which is a poor choice for something like webhooks, when you may be processing thousands (or tens of thousands) a second.
Shayne | Developer Advocate @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog