I did not see this issue on the 12th personally
Topic summary
Issue Overview:
Developers using Shopify’s Admin API with HTTP Basic Authentication (private apps) began receiving the error “For security reasons, requests using HTTP Basic Authentication cannot include cookies” on POST requests, despite not explicitly sending cookies.
Timeline & Impact:
- Initial reports emerged around 11 AM EST on January 5, 2021
- Multiple users confirmed the issue affected POST requests to various endpoints (tracking updates, inventory, metafields, customers, fulfillments)
- Shopify’s status page acknowledged the problem
- Issue was resolved within approximately 2 hours
Root Cause Speculation:
Users noted Shopify implemented a no-cookies policy for Basic Auth in 2017. The consensus suggests this was likely a bug where Shopify’s API incorrectly flagged legitimate requests as containing cookies, possibly due to accidentally deployed code that was later reverted.
Recurring Reports:
Similar incidents were reported on:
- June 9-10, 2021 (fulfillments endpoint)
- September 9, 2021 (product images endpoint)
Recommended Solution:
Some developers added explicit cookie-clearing code (curl_setopt($ch, CURLOPT_COOKIELIST, 'ALL')) as a precautionary measure, though the issue appears to be server-side rather than client-side.