Is applyAttributeChange spoofable?

Patrik_Majercik · February 13, 2026, 2:12pm

We use a Checkout UI Extension that calls applyAttributeChange to set a cart attribute. A Shopify Function then reads this attribute to apply a monetary discount.

Is this vulnerable to client-side spoofing? Can a user manually inject this attribute via the browser (AJAX) to trigger the discount bypassing the Extension?

If so, what is the secure best practice to pass trusted state from the Checkout UI to the Function?

Dylan · February 13, 2026, 2:27pm

As a rule of thumb, client’s cannot be trusted.

You have to either encrypt (but again if the keys are on the client, technically they can be compromised).

Or obfuscate via mapping to your discount via a UUID that has an extremely low chance of colliding or being guessed.

Samih · February 13, 2026, 4:47pm

In addition to @Dylan’s point, cart attributes are user-editable. Both Storefront and AJAX APIs let buyers, themes, or scripts change them. Don’t use them for app state, pricing, or anything security‑sensitive.

Use app‑owned metafields instead:

Scoped to your app and write‑protected (only your app can mutate them).
Not modifiable from the storefront by customers or theme scripts.
Stable for storing configuration and state your app depends on.

Topic		Replies	Views
How dangerous is it to pass Private Cart Attributes for use in a Shopify Function Functions cart-transform	4	91	August 21, 2025
Allow passing data to functions using a cart metafield Functions discount-functions	1	98	March 10, 2025
Function input.cart.attribute doesn't map to the AJAX cart attributes Functions discount-functions	5	146	April 30, 2025
Attributes set on cart sometimes don't get detected in the query Input Functions discount-functions , cart-transform	0	95	December 20, 2024
Discount Disappearing at Checkout – Clarification on Cookie Impact Functions discount-functions	0	40	October 21, 2025

Is applyAttributeChange spoofable?

Related topics