Securing mandatory GDPR webhooks
The General Data Protection Regulation (GDPR) sets requirements for any party that collects, stores, or processes the personal data of individuals in Europe. However, Shopify mandates GDPR regulations for all user data, regardless of whether an individual is located in Europe.
You need to ensure that any app that you distribute through the Shopify App Store is GDPR-compliant, regardless of whether your app currently collects personal data. Shopify provides mandatory webhooks to help.
Apps must meet the following webhook requirements:
- The app must implement the mandatory webhooks.
- The app must handle
POSTrequests with a JSON body and
Content-Typeheader set to
application/jsonsent to mandatory webhooks.
- If a mandatory webhook sends a request with an invalid Shopify
HMACheader, then the app must return a
401 UnauthorizedHTTP status.