Developing secure Shopify applications

Introduction

Having a high level of app security not only earns you the trust of your customers, but it also increases your company’s chances of success. As cyberattacks grow in frequency and cost, there is a long, difficult road ahead for the industry. However, with the advances in tooling and best practices, modern apps built this way can benefit significantly.

The Shopify ecosystem offers a fast, high-converting platform for millions of merchants, as well as security for credit card information and customer data. By developing an app for Shopify, you gain access to the platform and ensure the security of credit card information and customer information. Shopify is PCI compliant and handles the entire process. The credit card information is sent directly to Shopify, so you and your app users don’t have to worry about PCI compliance. However, this doesn’t mean you shouldn’t be careful when developing Shopify apps.  We must remain vigilant in ensuring the security of our Shopify apps as the Shopify ecosystem continues to grow. If enhanced functionality is introduced, such as when we send customer data to an artificial intelligence (AI) engine for recommendation purposes, it may be necessary to consider how customer data is used more carefully.

It is common to address web application flaws with modern frameworks, such as SQL injection, which breaks out of a poorly constructed query and interacts with the database in unintended ways. For your legacy app to comply with modern security standards, it will take a lot of time and effort to convert it to a Shopify app.  You are not “marking your own homework” when you hire an outside penetration testing company or consultant. Developers are often in the dark about their own security weaknesses.

One of the most challenging aspects of developing a Shopify app is handling personally identifiable information (PII), especially when collecting customer information. The trust of your users will be damaged if you make a small mistake in this area, and this will have a negative impact on the Shopify ecosystem as a whole.

Check the requirements for public apps, including GDPR compliance, having a privacy policy, and responding to deletion requests.

The purpose of this article is to provide you with an overview of 11 key areas  you need to consider when developing a secure Shopify application. Let’s take a closer look at why this is so important.

Maintain source code at all times

The use of source control is an essential aspect of developing new applications. In addition to saving time, it allows you to track the progress of your project and collaborate with other developers.

The deployment and build processes can be automated with source control, reducing the chance of human error. Following all the steps manually to get your application live increases the chance that something will go wrong. In the ideal world, everything would be implemented as code. With AWS, this could be CloudFormation or Terraform, while on Heroku, it might be a buildpack. In modern, low-config deployment environments such as Vercel, best practices are built in

Parameters of the environment

Having no secrets in your codebase, like Shopify keys, makes it easier to work on your code with other developers, and if your code was ever leaked, hackers wouldn’t be able to access third-party services, databases, or other resources.

In your local development environment, it is always advisable to practice running completely different instances of third-party services that you use, set them up specifically for development, and then place them in a `.env` file at the root of your project, which is ignored by source control. You can also add a .env.example to your repository in order to demonstrate which variables need to be configured.

When you start a project with the shopify-cli, a .env file will be created for you.

In addition, if you use the same instance of a SaaS product for mailing lists in development and production, you may potentially expose yourself to mailing customers from the development environment.

Information about users should be entered with care

When creating a Shopify app, chances are you’ll be adding a custom user interface (UI) either to the storefront or to the admin area. You should avoid directly accessing user-generated content through the DOM.

Before rendering user input to the page, it should always be encoded. In the case of a persistent XSS (Cross Site Scripting) attack, raw input could be saved into the database and remain in your Shopify app users’ shops until you are aware of it. In the worst-case scenario, you might be able to include a remote script tag and display fake payment pages that scrape credit card information.

This is easy to do with React by not calling `dangerouslySetInnerHtml` (so named to prevent you from using it). You should also check that your dependencies don’t do this.

If you’re in an older codebase using jQuery, you can use the `.text()` method to escape content.

Alternatively, remove any HTML tags in the backend before saving user-generated content into the database, which ensures any changes to the front end won’t introduce an XSS flaw.

Dependency checking

It is not risk-free to use other people’s code, but in modern web development it makes sense. It is even foolish (e.g. cryptography/hashing algorithms) to use your own code in certain scenarios. This is called Schneier’s Law: “Anyone, from the most clueless amateur to the most skilled cryptographer, is capable of creating an algorithm that they themselves cannot break.”

Reinventing the wheel sometimes isn’t just a waste of time, it’s a security risk to boot.

It’s worth checking that your dependencies are kept up-to-date. You can use `npm audit` as a requirement for JavaScript applications. Synk offers a much-improved database, which is much more highly moderated and maintained by security professionals.

In addition to the much more highly-moderated database, Synk also offers bundler-audit, which will check your Gemfile for Ruby on Rails apps. GitHub Actions and BitBucket Pipelines can be used to implement ‘Lock’ for any known vulnerabilities in your gems. Developers can see right away if there are security issues in your app if this action flag is set to a warning. To automatically open Pull Requests, you can use tools like Dependabot.

Passwords should all be hashed

Be sure not to store passwords in plaintext in the database. Check your log files and error tracking tools for accidental recordings. When adapting an existing app, make sure you use the latest recommended salting algorithms recommended by OWASP instead of older hashing algorithms such as MD5.

Analysis of static data

It is possible to find certain types of issues, such as SQL injections, with many static analysis tools. Even though they cannot identify configuration issues or more complex issues, they can be a useful starting point, and often indicate ‘code smells’ that indicate areas of the codebase that need to be refactored and reviewed more thoroughly.  You should review static analysis flagged areas manually if you have built your Shopify app over time.

Rotate the keys

In a larger Shopify application, you’ll likely use a number of third-party services. In both development and production, API keys will be needed. You should have a process in place to rotate critical keys (like your Shopify Secret Key) frequently since they are more likely to get mishandled or saved somewhere they shouldn’t (such as a developer’s laptop). In this way, laptops left in public places avoid potential security issues. There will be different methods for rotating keys on each platform, but here’s how Shopify handles it.

TLS/SSL

During transmission of your data to the server, this padlock appears next to your address bar to let you know that it is encrypted. In recent years, it has become much easier to set up. Let’s Encrypt launched free certificates in 2014, and since then, the tooling and support from third-party hosting companies have only improved.

In addition to improving security and protecting PII from tampering and logging, using TLS/SSL for all connections, even your application server’s connection to your CDN (if one is used). If you’re hosted on AWS, you can generate free TLS certificates using their Certificate Manager, which can be used for CloudFront, Elastic Load Balancing, and API Gateway. Companies like Cloudflare also offer free certificates.

Code reviews

It’s more than just buying a list of products or following tips. Security is an ongoing process. The right code review process can help you start the right conversations about what measures you should be taking, as well as catch some easy-to-make mistakes while writing your Shopify app. Ad hoc code reviews can be conducted by using pull requests in GitHub, GitLab, and Bitbucket.

Multi-tenanted applications and query scoping

Like many developers who choose to build public Shopify apps to launch on the Shopify App Store, you will be selling them multiple times to many merchants. This means you will need to have multi-tenant functionality in place. You may already be doing this without calling it by the same name.

Each tenant is effectively a customer. You want to ensure that all your database tables include a `tenant_id` and are scoped and filtered by that ID in all areas of your application.

For example, if you have an endpoint that deletes a resource, you should be checking to see if the person sending the request belongs to that tenant.

There are many off-the-shelf multi-tenant libraries in Ruby, PHP, JavaScript and Python—often with helpers that hook into the ORM (Object–Relational Mapping, an object layer that represents your database) used by your framework. You should scope all database queries to the tenant using your application.

The most effective way to ensure you’re not leaking data or privileges across tenants is to build out automated tests for these.

Other ways to increase security could be to split tenants into regions, depending on the security, hosting, and data requirements for your application.

Automated tests

Maintaining a high quality automated test suite, such a one built in Jest, is a sign of a healthy codebase. It allows you to write complex functionality in less time, and allows new developers to write new code whilst ensuring existing features continue to work.

Permission checks are a great candidate for automated security tests. This is because this can be difficult to test manually, and the risk of breaking the correct checks is high enough to warrant spending the time building tests.

I highly recommend reading Test Driven Development: By Example by Kent Beck if you want to really get into testing.

Secure your app, and you’ll secure customer trust make sure you’re following the best practices in this article when building out your Shopify application. If you have an existing web app and are adding Shopify capabilities, make sure to do a thorough audit of existing code and data handling.

SQL injection and XSS (Cross-Site Scripting) flaws were common in 2008, now they’re much rarer in new builds thanks to application frameworks that help prevent shooting yourself in the foot.

This article should be a great starting point to make your next great Shopify app follow best practices in security. Stay safe!