Seeking help: Compliance webhooks green, but “Use HMAC verification” check still flags red (Shopify App)

gugu517 · September 12, 2025, 2:23pm

App stack: Remix (+ @shopify/shopify-app-remix), embedded app, hosted at https://www.inhawbricks.com
App config: shopify.app.toml uses compliance_topics (2025-07), endpoint is HTTPS
Routes (resource routes): /webhooks/orders/created|paid|updated, /webhooks/app/scopes_update, /webhooks/app/uninstalled, and the 3 GDPR endpoints (/webhooks/customers/data_request, /customers/redact, /shop/redact)
HMAC verification: authenticate.webhook(request) on all POST routes; GET/HEAD/OPTIONS → 405; missing/invalid HMAC → 401

What we changed

Removed legacy admin pages and any public “monitor” route (now /app/monitor redirects → /app)
Added GDPR webhooks via compliance_topics in shopify.app.toml (2025-07)
Confirmed all webhooks: invalid HMAC → 401, valid HMAC → 200 on GDPR routes
Verified with Shopify CLI:
shopify app webhook trigger --topic customers/data_request --address https://www.inhawbricks.com/webhooks/customers/data_request --delivery-method http --api-version 2025-07
Same for customers/redact and shop/redact
Server logs show successful GDPR deliveries (200) and correct 401 for invalid HMAC tests

Our self-tests (key evidence)

Curl matrix for all endpoints with X-Shopify-Hmac-Sha256: BAD returns 401 across the board
Valid signed requests (CLI trigger) return 200 for GDPR routes; logs show topics CUSTOMERS_DATA_REQUEST, CUSTOMERS_REDACT, SHOP_REDACT handled and responded 200
App loads under /app; old /app/monitor now 302 → /app (intentional)

What still shows red

In the Dev Dashboard “Common checks,” the item “Use HMAC to verify webhooks” intermittently stays red even though:
All endpoints return 401 for bad/absent HMAC
GDPR compliance webhooks are subscribed (compliance_topics) and deliver 200
TLS is valid, and other checks are green

Questions for the community

Is there a known caching/latency or versioning issue with the “Use HMAC verification” automated check that might keep it red after fixes? Any way to force a re-evaluation?
Does the checker require HEAD/OPTIONS to be explicitly 405 on all endpoints (we do), or any other method/edge case (TRACE/PUT/PATCH) we should also block?
For compliance webhooks, is using compliance_topics in app.toml + single HTTPS endpoint sufficient, or should we also configure the same endpoints in “Settings → Compliance webhooks” to make the checker happy?
Are there specific headers beyond X-Shopify-Hmac-Sha256 (e.g., X-Shopify-API-Version, X-Shopify-Shop-Domain) that the checker expects even when HMAC is invalid?
Any known false positives related to Cloudflare proxying HTTPS endpoints (we’re behind Cloudflare), even when requests are correctly validated server-side?

Thanks for any insight. Logs and command outputs available on request:

401 matrix for invalid HMAC POST across all endpoints
Shopify CLI webhook trigger 200 logs for GDPR topics
shopify.app.toml snippet (compliance_topics with 2025-07)
Route handlers using authenticate.webhook(request) on POST and 405 on GET/HEAD/OPTIONS

App details (for reviewers)

Domain: www.inhawbricks.com
Example endpoints: https://www.inhawbricks.com/webhooks/customers/data_request etc.
Runtime: Node/Remix; auth via @shopify/shopify-app-remix; behind Cloudflare

If you want, I can also format this into a Markdown file you can paste directly to the forums.

Topic		Replies	Views
Failing at webhook HMAC verification step. Shopify Apps shopify-apps	1	36	August 25, 2024
Unable to configure GDPR and HMAC verification Shopify Discussion troubleshooting	2	7	May 16, 2024
HTTP POST for redact-shop-data webhook failing HMAC validation? Shopify Apps	6	27	August 29, 2023
app's HTTPS webhook endpoints must validate Shopify Apps third-party-apps , shopify-apps	2	5	September 5, 2023
How do I implement HMAC signature for webhook verification in a Remix-Run app? Shopify Apps shopify-apps	10	679	September 11, 2025