Is Headless Shopify secure?

Site security for ecommerce stores is make-or-break. Ensuring security of both the frontend and the ecom platform itself are crucial to maintaining a store that both your team and customers can be confident in.

The Shopify platform is known to be robust, boasting Level 1 compliance with PCI DSS, as well as SOC 2 Type II and SOC 3 certification. These certifications (in addition to Shopify’s internal compliance protocols), make for a highly-secure offering that has been externally certified for its compliance with security and data protection best practice.

Headless Shopify security considerations

With a Headless Shopify setup, there are more security considerations to make in contrast with a theme-based Shopify store.  This is because headless builds have more moving parts to them, such as the decoupled frontend, middleware, and a reliance on API queries to source and post data.

However, headless builds are also known for their security benefits, particularly when compared with legacy platforms. Their decoupled nature can conceal the backend from prying eyes, and server-side middleware used to obscure sensitive data and API queries.

A well-configured Headless Shopify store can provide just as much security confidence as a frontend hosted on the Shopify platform, if best practices are adhered to and careful considerations made in terms of implementation.

#1: Regarding Shopify

With a headless build, the primary Shopify-related security considerations are as follows:

1. Using the right APIs for the job
   
   Shopify provides several APIs by which external applications can interact with the platform. Selection of the appropriate API within a headless storefront build is critical for various reasons, not least security, data exposure, and rate limits. Shopify intends for the Storefront API to be used for frontend-related queries, such as headless build-outs. By adhering to this, API queries and mutations are only ever able to access publicly-available data from the store, as this API doesn't give scope to query or mutate data that's intended super sensitive.
    
2. Configuring the correct access scopes for APIs
   
   When configuring API settings via Shopify, ensure granting of necessary scopes only: treat redundancy as the enemy. This ensures that access tokens have limited scope and that the application utilizing the API connection is locked-down to queries it actually requires.
    
3. Ensuring water-tight guarding of API access keys and tokens
    
4. Make safe API calls
   
   It’s the responsibility of your development team or agency partner to ensure that any API calls made to Shopify are inherently secure. Backend requests only; no API requests are ever to occur on the client-side to Shopify directly! Doing so would expose access tokens, and somebody will end up fired.

These are all fairly straightforward expectations from a development team, and when practiced will ensure maximum confidence for Shopify-related compliance.

We're the experts in Headless Shopify.

Your search for answers ends here. Discover our services.

Explore Headless Shopify Services

#2: Regarding a Headless CMS, particularly if self-hosted open source

There are many options available in terms of a headless CMS, when planning for a Headless Shopify build. These will fall into one of two camps: SaaS/PaaS and self-hosted open source.

With SaaS options, your CMS provider (i.e. Sanity, Contentful) is largely responsible for ensuring overall security of the platform. Your main task is to ensure ongoing secrecy of API keys and access tokens, rotating these appropriately. In contrast, open source alternatives (i.e. Strapi, Payload) that are self-hosted will require their own security considerations, delegated to whoever hosts the software (i.e. your agency partner or software solutions provider, your own company, etc.).

Utilizing a centralized secrets management platform such as Doppler will go a long way in terms of ensuring robust token management and safeguarding.

When self-hosting a headless CMS, hardening and ongoing security of the server will also be required, in addition to ensuring security of the database, its access levels and associated permissions, and a generally timely response to any security releases made for the headless CMS over time.

Besides security releases, it’s solid practice to keep the headless CMS up-to-date anyway (read our guide on Headless Shopify maintenance here), so as to avoid it falling behind. This reduces your costs later down the line while ensuring access to the latest features, and helps you avoid falling into a pit of technical debt.

Security of a self-hosted Headless CMS database

Self-hosted headless CMSes will use either SQL, NoSQL, or flat-file database storage. Security considerations for the SQL or NoSQL database will largely be limited to protection of access credentials and connection strings, which can be managed by a cloud-based secrets platform. If the database itself is self-hosted, ensuring general security and hardening of the server on which it resides will also form part of expected protocol.

Informal chat? Works for us. 🤘

Contact Cocoon for a no-cost, no-obligation consultation.

Let's talk Shopify

#3: The JavaScript frontend framework

As with all software, it’s a good idea to keep the frontend framework up-to-date, particularly in response to any security releases. Installed dependencies should also be kept updated where feasible.

In general, risks associated with JS frontend frameworks are very slim, particularly in comparison to legacy/monolithic applications such as Magento and WordPress. Risk potential is reduced significantly further for static-generated Headless Shopify stores, because they don't maintain a direct connection to a server layer from the client-side.

The largest potential risk involves leaking of environment secrets, API keys & tokens, and lack of sufficient data sanitization. These scenarios are eliminated by best practice – which is why you should seek an experienced, proficient development team with a strong track record in Headless Shopify development.