How to Prevent Manual Cart Quantity Changes v

Shopify Apps

Topic summary

A Shopify store owner on a non-Plus account has discovered a security vulnerability: quantity limits set through theme customizations can be bypassed by sending direct POST requests to /cart/update.js.

A penetration tester demonstrated this by manually updating cart quantities via API payload, completely circumventing front-end controls.

Key concerns:

  • Server-side validation of cart requests isn’t available without Shopify Plus or Functions
  • The app “Avada Order Limits Quantity” prevents front-end manipulation but doesn’t fully block backend modifications
  • Attackers can use tactics like /cart/{variant-id}:1 to skip cart page checks and proceed directly to checkout

Seeking solutions:

  • Methods to validate or block /cart/update.js requests on non-Plus accounts
  • Apps or workarounds that enforce limits against manual POST requests
  • Webhook validations or other alternatives for the prototype phase

The discussion remains open with no confirmed solutions yet. Another user reports experiencing similar cart manipulation issues.

Summarized with AI on October 29. AI used: claude-sonnet-4-5-20250929.
1

Hi everyone,

I’m currently working on a Shopify store using a trial (non-Plus) account, and I’ve implemented product quantity limits through theme customizations. While this works fine through the user interface, a recent pentest revealed that it’s still possible to manually modify the quantity by sending a POST request to /cart/update.js with a custom payload — completely bypassing the front-end controls.

A pentester was able to change the quantity like this:

{
“updates”: {
“PRODUCT_ID”: 99
}
}

This updated the cart directly, ignoring the max quantity limits we set on the product.

My Questions:1. Is there any way to block or validate /cart/update.js requests on the server-side without having access to Shopify Plus or Functions?

  1. Are there apps or workarounds that enforce limits even against manual POST requests (e.g., via webhook validations or redirecting invalid carts)?

  2. I’m currently testing Avada Order Limits Quantity, which works well on the front end, but it seems not to fully stop these types of backend modifications. Any suggestions?

    ?Goal:

    To block or reject any cart manipulation where users try to bypass quantity limits — without requiring Shopify Plus (at least for the prototype phase).

    I would really appreciate advice from anyone who has faced and solved a similar issue!

    Thanks in advance.

2

I would also like answer to this. currently exists numerous cart manipulation tactics that have been used in our store specifically /cart/{variant-id}:1 , and unfortunately not enough mitigation tactics for non plus users.
This results in the user being able to bypass any checks in place we have on the cart page, and straight to the checkout.

if you find any solution please, post what you found here!