Shopify Security Basics

Overview

Security essentials for Shopify apps: credential management, webhook HMAC validation, request verification, and least-privilege access scopes.

Prerequisites

• Shopify Partner account with app credentials
• Understanding of HMAC-SHA256 signatures
• Access to Shopify app configuration

Instructions

Step 1: Secure Credential Storage

# .env — NEVER commit
SHOPIFY_API_KEY=your_api_key
SHOPIFY_API_SECRET=your_api_secret_key
SHOPIFY_ACCESS_TOKEN=shpat_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# .gitignore — add immediately
.env
.env.local
.env.*.local
*.pem

Token format reference:

Step 2: Webhook HMAC Verification

Shopify signs every webhook with your app's API secret using HMAC-SHA256. The signature is in the X-Shopify-Hmac-Sha256 header. Use crypto.timingSafeEqual for comparison to prevent timing attacks. The middleware must use raw body parser (not JSON parser).

See Webhook HMAC Verification for the complete implementation.

Step 3: OAuth Request Verification

Verify that incoming OAuth requests from Shopify are authentic by checking the HMAC query parameter. The library handles this automatically, but the manual approach sorts params alphabetically, creates a query string, and compares HMAC hex digests.

See OAuth Request Verification for the complete implementation.

Step 4: Minimal Access Scopes

Only request the scopes your app actually needs:

# shopify.app.toml — start minimal, add as needed
[access_scopes]
scopes = "read_products"

# Use optional scopes for features that not all merchants need
[access_scopes.optional]
scopes = "write_products,read_orders"

Step 5: Content Security Policy for Embedded Apps

// Embedded apps must set proper CSP headers
app.use((req, res, next) => {
  const shop = req.query.shop as string;
  res.setHeader(
    "Content-Security-Policy",
    `frame-ancestors https://${shop} https://admin.shopify.com;`
  );
  next();
});

Output

• Credentials securely stored in environment variables
• Webhook HMAC verification on all incoming webhooks
• OAuth request signatures validated
• Minimal access scopes configured
• CSP headers set for embedded apps

Error Handling

Examples

Security Audit Checklist

• [ ] Access tokens in environment variables, never in code
• [ ] .env files in .gitignore
• [ ] Webhook HMAC verified on every incoming webhook
• [ ] OAuth HMAC verified on app installation requests
• [ ] Minimal scopes — only what the app needs
• [ ] CSP frame-ancestors set for embedded apps
• [ ] No admin tokens in client-side JavaScript
• [ ] Token rotation procedure documented
• [ ] git-secrets or similar pre-commit hook installed

Install git-secrets to Prevent Token Leaks

# Install git-secrets
brew install git-secrets  # macOS
# or: sudo apt install git-secrets  # Linux

# Add Shopify patterns
git secrets --add 'shpat_[a-f0-9]{32}'
git secrets --add 'shpss_[a-f0-9]{32}'

# Install hook
git secrets --install

Resources

• Shopify Webhook HMAC Verification
• Shopify API Authentication
• Access Scopes Reference
• Embedded App Security