A developer asks whether Web Pixel fetch requests can be signed to verify event authenticity. They note that Shopify doesn’t provide access to crypto globals in web workers, and network tab visibility makes requests vulnerable to manipulation.
Key Response:
Client-side signing is not recommended because it requires exposing the signing key in the browser
Since requests originate client-side, they cannot be fully protected from theft or replay attacks
Suggested Workaround:
Use Shopify’s App Proxy feature to route Web Pixel requests through a specific path configured in the App Proxy
Requests are forwarded to the actual server with a signature from Shopify
This allows verification that Shopify sent the request and hides the actual server URL
Status: Partial solution provided, though fundamental client-side security limitations remain unresolved.
Summarized with AI on November 10.
AI used: claude-sonnet-4-5-20250929.
Is it possible to do some sort of Request Signing on the fetch requests made in Web Pixels so i can verify that the source of the event is credible?. I see that Shopify does not provide access to the globals required to use crypto in a web worker as mentioned here
. The issue is that it seems like the requests show up in in the network tab showing all the parts of the request meaning someone can easily figure out how to overload the server with requests.
You wouldn’t want to sign on the client side (browser) because you’ll have to expose your key.
Since the request is originating on the client side, ultimately, there’s nothing you can do to prevent it from being stolen/replayed/etc.
That being said, and this does not solve fully address what you’re concerned about, you can use the Shopify App Proxy to make requests from your Web Pixels to your store’s URL under a specific path that you configure in the App Proxy. This is then forwaded to your actual server, with a signature, so you can ensure that Shopify sent it via the App Proxy. This also hides your server’s actual URL.