Securing mandatory GDPR webhooks
The General Data Protection Regulation (GDPR) sets requirements for any party that collects, stores, or processes the personal data of individuals in Europe. However, Shopify mandates GDPR regulations for all user data, regardless of whether an individual is located in Europe.
You need to ensure that any app that you distribute through the Shopify App Store is GDPR-compliant, regardless of whether your app currently collects personal data. Shopify provides mandatory webhooks to help.
Apps must meet the following webhook requirements:
- The app must implement the mandatory webhooks.
- The app must handle
POST
requests with a JSON body andContent-Type
header set toapplication/json
sent to mandatory webhooks. - If a mandatory webhook sends a request with an invalid Shopify
HMAC
header, then the app must return a401 Unauthorized
HTTP status.