Securing mandatory GDPR webhooks

The General Data Protection Regulation (GDPR) sets requirements for any party that collects, stores, or processes the personal data of individuals in Europe. However, Shopify mandates GDPR regulations for all user data, regardless of whether an individual is located in Europe.

You need to ensure that any app that you distribute through the Shopify App Store is GDPR-compliant, regardless of whether your app currently collects personal data. Shopify provides mandatory webhooks to help.

Apps must meet the following webhook requirements:

  • The app must implement the mandatory webhooks.
  • The app must handle POST requests with a JSON body and Content-Type header set to application/json sent to mandatory webhooks.
  • If a mandatory webhook sends a request with an invalid Shopify HMAC header, then the app must return a 401 Unauthorized HTTP status.