Securing Mechanic webhooks
Last updated
Was this helpful?
Last updated
Was this helpful?
are configured properly for CORS, which makes them suitable for submissions from your online store's frontend.
These webhooks do not include any authentication, so you may want to add some verification in your own implementation.
By establishing a shared secret value, stored in server-side Shopify theme code and in server-side Mechanic task code, the webhook request data can be "signed" with a signature value, uniquely determined by the shared secret combined with the request data. This prevents would-be attackers from modifying the webhook data and re-using the same signature, because any modification to the webhook data would invalidate the signature.
One might use something like this in the Shopify theme code:
... and then something like this, in the corresponding Mechanic task code:
The approach above prevents would-be attackers from passing off altered data as legitimate, but it does not prevent manually repeated submissions of the same data.
The best approach for preventing this is to ensure that the Mechanic task code is fully idempotent, such that it only performs the desired work once, no matter how many times it is invoked.
In this way, later submissions of the same webhook data will be ignored.
To prevent a replay of the same request much later, add a rounded representation of the current time to the signature calculation. Here's an example, on the theme code side:
And here's how this might be validated in task code:
In this way, the signature will only be valid within a 60-minute interval.
One way to solve this is to leverage to remember that a given request has already been processed. Here's an example:
Bear in mind, with this strategy, timeliness becomes important! A could push the event past the rounding, resulting in a new time value, and invalidating the request signature.