Authentication of webhook payloads is currently handled via secrets included in payload headers. The two relevant site settings are
webhook receiver secret
: The secret, eg.01534563e542342312349
webhook receiver secret header key
: The key in the payload header where the secret is stored, e.g.X-Shopify-Hmac-SHA256
.
The secret is validated using the following code, taken directly from Shopify’s example for secret validation
calculated_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest('sha256', secret, body))
ActiveSupport::SecurityUtils.secure_compare(calculated_hmac, hmac_header)
See further https://shopify.dev/tutorials/manage-webhooks.
If there is a modification to this authentication method, secret validation method, or other security change you’d like to make to the plugin, please let us know by replying to this topic.