Security measure for Shopify App Proxy

Topic summary

Focus: securing a Shopify App Proxy setup that forwards storefront requests to an external app server.

Key questions raised:

Is there a published/static IP range for Shopify’s App Proxy so the backend can allowlist only those source IPs?
Can the App Proxy inject a custom HTTP header into forwarded requests to help the app server verify the request origin?

Context: A security team requested additional safeguards for incoming proxy traffic to the app backend.

Notes: “App Proxy” is a Shopify feature that routes certain storefront paths to an external app and returns the app’s response on the storefront.

Status/outcome: No answers or decisions yet; guidance on IP allowlisting and header customization is still needed.

Summarized with AI on December 31. AI used: gpt-5.

ykyuen April 17, 2024, 7:48am 1

We are using app proxy to redirect the shopify frontend request to the app server. however. We have the security team suggesting if there is anyway to safe guard those requests by the following.

is there any ip range of the app proxy servers such that we only whitelist those source ip?
is it possible for us to add a custom header to the request at the app proxy?

Thanks.

Topic		Replies	Views
APP Proxy is not secure, anyone can send requests and DDOS you server? Store Design	2	23	June 3, 2021
App proxy is sending cloudflare IP addresses to our backend Extensions troubleshooting	0	46	September 29, 2024
Authentication Token to validate API calls from Shopify Backend Technical Q&A javascript	2	53	February 11, 2025
X_FORWARDED_FOR and X_REAL_IP header in application proxy no longer sending correct ip address Store Design	3	93	December 10, 2019
Shopify App Proxy. How to I get data from an external database into my store Store Design	27	376	July 16, 2023

Security measure for Shopify App Proxy

Topic summary

Related topics