Hi everyone, I just realized Shopify seems to have removed Shopify-Ipgeo-Country and X-Shopify-Client-IP from app proxy requests.
Our app was using these headers to detect customer country and IP, and they suddenly disappeared without any change on our side.
Has anyone else run into this? Also, was there any changelog or official update related to this change, and is there a recommended replacement for these headers?
Hi @parker,
I can confirm that this change is expected behaviour, and that these headers were removed due to security hardening efforts, as these are internal use headers that should not have been exposed on the App Proxy requests initially. Since this was due to security hardening, and wasn’t expected behaviour in the first place, there was no changelog posts as it wasn’t a feature change.
The Shopify.dev docs does mention the expected headers that should be sent with App Proxy requests.
The forwarded request also adds the following headers:
X-Forwarded-Host: The domain name of the client’s request.X-Forwarded-For: The client IP address.
In this case, you can use the X-Forwarded-For header to receive the IP address from the client making the request.
There’s no headers for the country, though you can use the IP address from x-forwarded-for to determine this, or you can send the country from the Buyer Identity on the cart, or Liquid Customer information on the storefront in the proxy request body manually.
Hi Kellan
Thanks for confirming this.
Can you please comment on how X-Forwarded-For with all IPs trace list is more secure that x-shopify-client-ip you just dropped without any notice? Is there any less information now provided to warrant the client’s disruption?
Hi Kellan,
Thanks for confirming what happened.
I do want to flag that this caused unexpected downtime for my merchants. I completely understand the security rationale, but since the header was present, many of us were relying on it in production without realising it wasn’t intended behaviour.
Even a brief heads-up via the Partner Dashboard or changelog would have made a big difference here. I’ve since migrated to X-Forwarded-For and things are working again, but it would be great to see some process around communicating these kinds of changes in future, even when they’re not considered feature changes.
Appreciate the transparency either way.
Hi @Dimitry_Nechaev and @daryl,
I appreciate and understand your concerns with how this change has affected your apps and clients, and I will absolutely be passing some feedback internally that you’d like to see more clear communications on changes such as these in the future.
That said unfortunately as this is due to security improvements, I’m unable to discuss any specifics behind these changes.
Since these were undocumented headers, the use of them in your apps would be considered an unexpected usecase and to prevent disruptions such as these in the future, I would suggest ensuring you are following the development guidelines and schemas presented in our Shopify.dev documentation specifically.
In this case, the App Proxy documentation mentions that the only headers expected to be forwarded is the X-Forwarded-For and X-Forwarded-Host.
I also understand that the About app proxies and dynamic data - disallowed headers documentation, doesn’t specifically mention these headers either. I’ll be sure to reach out to our developer team to see if we can update this documentation with the newly stripped headers.
Edit:
After discussing this with our developers further, the About app proxies and dynamic data - disallowed headers documentation is specifically referring to headers that are stripped from Responses sent for App Proxy Requests, so this would be any headers that you are passing back in the response. This documentation does not provide a list of headers being stripped from the Request itself, so we will not be adding the headers discussed above to this list, since they were headers from the Requests being stripped not the Response.
the fact that X-Forwarded-Host doesn’t exist in my app proxy requests
Hey @parker,
If you have any specific examples, we can absolutely help look into that further. If you can please reach out to our Support Team via the Shopify Help Center, while logged into your Partner Account, and provide us with a specific example of the HTTP Request received that is missing the X-Forwarded-Host header, we can help look into this with you in a fully authenticated support interaction.
Please be sure to have a specific example prepared, with all of the following information:
