Why/How is my internal product information public facing?

Technical Q&A
,

Topic summary

A store owner discovered that product data, including the “Vendor” field, is being scraped by bots and reposted on fraudulent websites. The Vendor field contains private supplier information not displayed on the site, yet appears in scraped data.

Key Finding:
Adding .js or .json to any product URL (e.g., yoursite.com/products/XXX.json) exposes all product data publicly. This JSON endpoint is automatically generated by Shopify and cannot be modified or disabled.

Resolution:

  • The Vendor field and other product data are inherently public-facing through Shopify’s API
  • Moving sensitive information to metafields is recommended, as these are not exposed in the JSON output
  • The store owner will need to change their data management practices to avoid storing private supplier information in standard product fields

This affects any Shopify store using built-in product fields for internal notes or sensitive business information.

Summarized with AI on October 31. AI used: claude-sonnet-4-5-20250929.
1

My website content is getting scraped by bots and my product listings are being re-posted on fraudulent websites. I’ve dealt with several instances of this recently; several copyright infringement takedown requests, etc. That’s enough of a headache on its own.

The thing I’m trying to figure out is that the “Vendor” field from my products is somehow being included in the data that is being scraped, even though it is not being displayed in my product listing or in the search engine metadata. I know this because I don’t use this field for the actual “vendor” of the product, but rather, the private individual I bought the goods from. It is an internal note for myself. But this internal note is showing up in the scraped data that is being posted to fraudulent websites.

Can anyone tell me if the Vendor field is supposed to be public facing, part of the metadata of a product listing? What about other fields? Is there a place I can find a complete listing of the fields that are shared outside of my organization? And is there a way to alter what is being included in this way? I’m using the Craft theme (currently v13, but about to upgrade to v15.2).

1 Like
2

If you add a .js (or .json) to your product page URL (like yourcompany.com - This website is for sale! - yourcompany Resources and Information.) you will see a list of all product data visible to everybody.

This will look like:

Screenshot 2025-02-19 at 11.04.28 AM.png
Screenshot 2025-02-19 at 11.04.28 AM.png1450×608 163 KB

but with proper chrome extension it will be better formatted:

Screenshot 2025-02-19 at 11.04.40 AM.png
Screenshot 2025-02-19 at 11.04.40 AM.png1450×608 101 KB

2 Likes
3

Thanks Tim - this is very helpful!

So - now that I can see what is being shown publicly, do you know how can I change it? I assumed I would be able to find it in my product.json template code, but I don’t see anything there. Not finding it in any snippets or other code either. Any guidance would be wonderful!

Thanks,
Dan

1 Like
4

You can’t. This is automatically generated by Shopify and you can’t change it. And can’t change its format.

template/product.json is a template for your product page, not for .json output, do not mess with it.

You can move this data to metafield(s), can be relatively easy automated and will not be shown.

2 Likes
5

Shoot! Well that really stinks. I would expect that most small businesses out there wouldn’t actually want folks to know who their vendors are for things. The brands of their goods, certainly, that makes sense, but not the vendors.

We’ll have to adjust our data keeping methods to discontinue use of that field. Thanks for your help.

1 Like