DTC Guides

Building Secure Shopify Apps: Top Tips

|
September 12, 2022

As companies and business owners around the world continue to embrace Shopify as one of the top platforms for building an efficient website, demand for Shopify developers is increasing. Clients rely on their Shopify developers to create not just stunning websites and themes, but also powerful apps for the Shopify ecosystem. Increasingly, prioritizing and ensuring security is becoming a critical concern for any developer in the app-building landscape. Whether you’re collecting PII from clients for online transactions, or storing membership details, you need to ensure your app is safe and compliant.The good news is Shopify’s ecosystem is already PCI compliant, capable of handling every aspect of the checkout experience without security headaches. However, that doesn’t mean you don’t have to think carefully about security when building new Shopify apps.

Here are some top tips to ensure you deliver the right results for your clients.

  1. Use Source Control

Whether you’re building a theme or application in Shopify, it’s crucial to leverage the benefits of source control. This feature allows you to track and monitor changes in your apps, searching for any potential security concerns while collaborating with other team members. It also means you can automate various parts of the deployment and building process, reducing the risk of human error. 

The more you have to manually go through various steps to take your application to market, the more risk you have of something going wrong. Fortunately, there are plenty of orchestration tools to help you, from CloudFormation to Terraform, and low-config deployment landscapes like Vercel.

  1. Keep Secrets Out of Your Codebase

Building a secure Shopify app means minimizing access to private and confidential details in your codebase. Keeping Shopify keys and other variables out of your code base makes it easier to collaborate with other developers. It also ensures if your code was every leaked or hacked, the hackers wouldn’t have access to secure databases.

Generally, it’s a good idea to run completely different instances of third-party services collecting crucial data, and set them up in an .env file within the project root. Starting a project using the Shopify-Cli environment will automatically create an .env file on your behalf.

For instance, if you’re designing an app for product mailing lists, using different instances for production and development will keep each address collected secure. 

  1. Be Cautious with User Input

Most professional developers creating Shopify apps will end up adding a custom user interface to the admin area or storefront. Ideally, you’ll want to avoid DOM access with user content. It’s best to encode user input before adding it to the page, as Persistent XSS can happen if someone temporarily gains access to a Shopify user account. 

In particularly problematic scenarios, people could even add remote script tags to display fake payment pages to users and scrape credit card information. 

With React, make sure you don’t call “dangerouslySetInnnerHTML”. If you’re using an older codebase on jQuery, you can use the “.text()” method instead. Alternatively, simple remove HTML tags in the backend before saving any user-generated content to your database.

  1. Use Static Analysis

Examining your code for issues is one of the best things you can do to make your app more secure. There are various helpful static analysis tools available today which can assist developers with finding common issues, like SQL injections. While these tools can’t discover more complex problems and issues in configuration, they’re a great starting point.

Static analysis tools can indicate areas of the codebase which might require more in-depth human reviews. If you’ve built your app over a longer period of time, however, you might need to take more time manually reviewing certain areas flagged in a static analysis. 

  1. Double-Check Dependencies

In the modern web development world, staying ahead of trends and delivering exceptional experiences often involves using other people’s code. Unfortunately, this process is not risk-free. It’s worth checking your dependencies are up-to-date at all times, using features like “npm audit” for JavaScript applications. 

You can also use the bunder-audit solution for Ruby on Rails apps, which checks the Gemfile.lock for unknown vulnerabilities. These strategies should be implemented into your build tools on BitBucket pipelines and GitHub actions. If you make the action of auditing flag a warning for any issues, other developers will also be able to see security issues in the app.

  1. Always Use TLS/SSL

The little padlock that appears next to a website address is one of the first things any user will look for when assessing the credibility of a Shopify website. It shows data is encrypted when sent to the website server. Fortunately, it’s much easier to set this functionality up today. There are free certificates available from Let’s Encrypt, and many hosting companies offer encryption too.

Using TLS and SSL for all of your connections, even the link between your CDN and application server will immediately improve security. If you’re hosting on AWS, you can even use the certificate manager to build TLS certificates you can be used in a range of environments. 

  1. Hash Passwords

This might seem like an obvious tip for an experienced Shopify developer, but it’s crucial. You should never store passwords in plaintext in your database. Make sure you always check your log files and error tracking tools for any accidental recordings too. 

If you’re working on an existing app, you may need to remove older hashing algorithms like MD5, and update to the most recent recommended options instead.

  1. Rotate Your Keys

If you’re building a larger Shopify application with more features, you may need to use a variety of third-party services. This relies on the usage of API keys for development and production. Over time, it becomes more likely these keys will end up being mishandled or saved somewhere accidentally. 

Having a process in place to rotate important keys frequently can reduce the risk of security issues, such as problems caused by laptops left in public places. 

Here’s a quick guide to rotating and revoking API credentials with Shopify to help you. 

  1. Conduct Code Reviews and Tests

Ensuring good app security isn’t just about following best-practice guidance during the initial building process. Generally, you’ll need to commit to an ongoing process of checking for safety problems. Getting your colleagues or peers to conduct code reviews can often be helpful. It’s even possible to submit requests in GitHub and GitLab. 

An automated testing suite can be useful too. There are various testing options out there which allow you to write complex functionality into your app in less time, without worrying about performance issues. Some checks are more specifically suited to automated security tests than others. For instance, permission checks can be difficult to perform manually, making automation much more appealing.

Keep Your Apps Secure

If you’re going to start expanding your skillset as a Shopify developer by designing custom apps for your customers, you’ll need to ensure you put security first. Following the right best practices to keep your clients and their end-users safe will make it much easier to secure customer trust. 

As the digital world grows increasingly dangerous, taking security seriously will be crucial to your future success with any client.

7,93
15,86
23,8
31,73
39,66
47,6
55,53
63,46
71,4

As companies and business owners around the world continue to embrace Shopify as one of the top platforms for building an efficient website, demand for Shopify developers is increasing. Clients rely on their Shopify developers to create not just stunning websites and themes, but also powerful apps for the Shopify ecosystem. Increasingly, prioritizing and ensuring security is becoming a critical concern for any developer in the app-building landscape. Whether you’re collecting PII from clients for online transactions, or storing membership details, you need to ensure your app is safe and compliant.The good news is Shopify’s ecosystem is already PCI compliant, capable of handling every aspect of the checkout experience without security headaches. However, that doesn’t mean you don’t have to think carefully about security when building new Shopify apps.

Here are some top tips to ensure you deliver the right results for your clients.

  1. Use Source Control

Whether you’re building a theme or application in Shopify, it’s crucial to leverage the benefits of source control. This feature allows you to track and monitor changes in your apps, searching for any potential security concerns while collaborating with other team members. It also means you can automate various parts of the deployment and building process, reducing the risk of human error. 

The more you have to manually go through various steps to take your application to market, the more risk you have of something going wrong. Fortunately, there are plenty of orchestration tools to help you, from CloudFormation to Terraform, and low-config deployment landscapes like Vercel.

  1. Keep Secrets Out of Your Codebase

Building a secure Shopify app means minimizing access to private and confidential details in your codebase. Keeping Shopify keys and other variables out of your code base makes it easier to collaborate with other developers. It also ensures if your code was every leaked or hacked, the hackers wouldn’t have access to secure databases.

Generally, it’s a good idea to run completely different instances of third-party services collecting crucial data, and set them up in an .env file within the project root. Starting a project using the Shopify-Cli environment will automatically create an .env file on your behalf.

For instance, if you’re designing an app for product mailing lists, using different instances for production and development will keep each address collected secure. 

  1. Be Cautious with User Input

Most professional developers creating Shopify apps will end up adding a custom user interface to the admin area or storefront. Ideally, you’ll want to avoid DOM access with user content. It’s best to encode user input before adding it to the page, as Persistent XSS can happen if someone temporarily gains access to a Shopify user account. 

In particularly problematic scenarios, people could even add remote script tags to display fake payment pages to users and scrape credit card information. 

With React, make sure you don’t call “dangerouslySetInnnerHTML”. If you’re using an older codebase on jQuery, you can use the “.text()” method instead. Alternatively, simple remove HTML tags in the backend before saving any user-generated content to your database.

  1. Use Static Analysis

Examining your code for issues is one of the best things you can do to make your app more secure. There are various helpful static analysis tools available today which can assist developers with finding common issues, like SQL injections. While these tools can’t discover more complex problems and issues in configuration, they’re a great starting point.

Static analysis tools can indicate areas of the codebase which might require more in-depth human reviews. If you’ve built your app over a longer period of time, however, you might need to take more time manually reviewing certain areas flagged in a static analysis. 

  1. Double-Check Dependencies

In the modern web development world, staying ahead of trends and delivering exceptional experiences often involves using other people’s code. Unfortunately, this process is not risk-free. It’s worth checking your dependencies are up-to-date at all times, using features like “npm audit” for JavaScript applications. 

You can also use the bunder-audit solution for Ruby on Rails apps, which checks the Gemfile.lock for unknown vulnerabilities. These strategies should be implemented into your build tools on BitBucket pipelines and GitHub actions. If you make the action of auditing flag a warning for any issues, other developers will also be able to see security issues in the app.

  1. Always Use TLS/SSL

The little padlock that appears next to a website address is one of the first things any user will look for when assessing the credibility of a Shopify website. It shows data is encrypted when sent to the website server. Fortunately, it’s much easier to set this functionality up today. There are free certificates available from Let’s Encrypt, and many hosting companies offer encryption too.

Using TLS and SSL for all of your connections, even the link between your CDN and application server will immediately improve security. If you’re hosting on AWS, you can even use the certificate manager to build TLS certificates you can be used in a range of environments. 

  1. Hash Passwords

This might seem like an obvious tip for an experienced Shopify developer, but it’s crucial. You should never store passwords in plaintext in your database. Make sure you always check your log files and error tracking tools for any accidental recordings too. 

If you’re working on an existing app, you may need to remove older hashing algorithms like MD5, and update to the most recent recommended options instead.

  1. Rotate Your Keys

If you’re building a larger Shopify application with more features, you may need to use a variety of third-party services. This relies on the usage of API keys for development and production. Over time, it becomes more likely these keys will end up being mishandled or saved somewhere accidentally. 

Having a process in place to rotate important keys frequently can reduce the risk of security issues, such as problems caused by laptops left in public places. 

Here’s a quick guide to rotating and revoking API credentials with Shopify to help you. 

  1. Conduct Code Reviews and Tests

Ensuring good app security isn’t just about following best-practice guidance during the initial building process. Generally, you’ll need to commit to an ongoing process of checking for safety problems. Getting your colleagues or peers to conduct code reviews can often be helpful. It’s even possible to submit requests in GitHub and GitLab. 

An automated testing suite can be useful too. There are various testing options out there which allow you to write complex functionality into your app in less time, without worrying about performance issues. Some checks are more specifically suited to automated security tests than others. For instance, permission checks can be difficult to perform manually, making automation much more appealing.

Keep Your Apps Secure

If you’re going to start expanding your skillset as a Shopify developer by designing custom apps for your customers, you’ll need to ensure you put security first. Following the right best practices to keep your clients and their end-users safe will make it much easier to secure customer trust. 

As the digital world grows increasingly dangerous, taking security seriously will be crucial to your future success with any client.

Talk to an expert
Discuss the project for free
with a Storetasker Expert
From an Expert
No items found.
7,93
15,86
23,8
31,73
39,66
47,6
55,53
63,46
71,4