This is something I’ve been wondering since I started developing on Shopify.
Why does every Shopify store expose a list of every available product via multiple public .json endpoints? For example: this link shows every item for sale by hiutdemin (just took the first store from this “50+ best Shopify Stores” article as an example).
Is there a technical reason this json has to exist?
As I’ve mentioned to the Shopify service people in the past on the old forum, I’ve come across a lot of websites that allow users to create their own product which then get exposed via this endpoint, allowing others to see things like addresses (a custom wedding invitation shop), photos (shops selling prints on pillows) or other random items.
We’re developing an app for digital manufacturing where customers upload technical drawings of products for us to produce, and we’re working around this issue by keeping info in created products generic and linking sensitive data via metaobjects (which are private) but this is a huge hassle. Also, this means we can’t do basic things like using the product image to show a preview, as this image is public and would expose sensitive design data.
There are some other things you can do, like work with draft orders, but all of these methods are cumbersome and remove a lot of the ease of use of standard Shopify objects. It takes a lot of extra time, and is easy to get wrong leading to leaking sensitive information (as I’ve seen so many sites do in the past).
I’ve also read you should use the order line properties to store this kind of data, as this is only linked to the cart and not to the product itself, but this only works with very limited information.
I can’t imagine Shopify needs this endpoint, as everything is done using graphql. So I’d think it would make sense to have a simple private flag on products, which when enabled hides the product from any public endpoint and only allows access to the product via it’s GUID (which would be pretty much impossible to guess).