How to Restrict Access-Control-Allow-Origin to My Domain in Shopify?

Nic_Chow · February 26, 2025, 4:02am

Hi Shopify Community,
A recent security scan detected an issue: Insecure Cross-Origin Resource Sharing (CORS) Configuration.
Suggested Solution:
The application should be configured with an allowlist, including only specific and trusted domains, to perform CORS requests.

I would like to set the Access-Control-Allow-Origin header for my Shopify store to allow only my domain.

My questions:

Is there a way to restrict CORS to just my domain in Shopify?
Will there be any issue if I set it to just my domain?
If this is not possible, is this an actual security concern for a Shopify store?

Any advice or recommendations would be greatly appreciated!
Thanks!

Liam-Shopify · February 26, 2025, 12:26pm

Hey Nic,

Here’s some recommendations:

Restricting CORS to just your domain in Shopify: Shopify does not provide direct control over the Access-Control-Allow-Origin header for its storefront or admin APIs. CORS policies are managed by Shopify and are designed to ensure secure interactions between your app and Shopify’s APIs.
Issues with restricting CORS to just your domain: If Shopify allowed such restrictions, limiting CORS to only your domain could prevent legitimate third-party integrations or tools (e.g., analytics or marketing apps) from functioning correctly. However, Shopify’s managed CORS policies already ensure that only authorized domains can access its APIs.
Security concerns for a Shopify store: The inability to customize CORS headers is not typically a security concern for Shopify stores. Shopify’s APIs are protected by authentication mechanisms, such as OAuth tokens, ensuring that only authorized requests are processed. Additionally, Shopify enforces secure practices like session tokens for embedded apps to prevent unauthorized access.

If you are developing a custom app or storefront, you can implement additional security measures, such as validating incoming requests using HMAC headers or session tokens. We also have security guidelines here you can follow.

Nic_Chow · February 27, 2025, 1:58am

Hi Liam,

Thanks for your reply!
Are you able to share the list of authorized domains that can access its APIs?

Gulam_Hussain_Quinn · February 27, 2025, 5:11am

There’s no ‘authorized domains’ list, anyone can send request to your storefront, CORS will not stop them.

Nic_Chow · February 28, 2025, 3:16am

Hi Gulam,

Thanks for your reply. Liam from Shopify mentioned that there is an authorized domain list, but you mentioned there isn’t. Could you clarify which is correct?
Looking forward to your response.

Topic		Replies	Views
CORS issue when requesting external API - Customer Extension Extensions customer-account-ext	1	47	February 27, 2025
CORS Error: Response to preflight request doesn't pass access control check Extensions theme-app-extension	4	210	February 3, 2025
CORS Blocking Shopify App Proxy Requests Partner Discussions app-store	0	50	February 24, 2025
Fixed: CORS errors from admin UI extension making requests to app backend Extensions admin-ui-extensions	1	28	March 4, 2025
Shopify Admin UI Extension - CORS Issue in Development (But Works in Production) Extensions admin-ui-extensions	5	136	February 23, 2025

How to Restrict Access-Control-Allow-Origin to My Domain in Shopify?

Related topics