Shopify Security Hardening Checklist: Store, Apps, and Checkout

Shopify's core platform is secure — but most store breaches come from third-party app permissions, exposed API keys, and checkout script injections. This checklist helps merchants and developers reduce practical risk in days, not months.

Top Shopify Security Risks in 2026

Understanding where breaches actually occur helps prioritize effort:

• Magecart / skimming attacks: Malicious JavaScript injected into checkout pages to steal payment card data. Comes via compromised third-party apps or theme code.
• Overprivileged apps: Apps with read_customers or write_orders scopes that don't actually need them — creating unnecessary data exposure risk.
• Leaked Storefront API keys: Storefront API tokens hardcoded in theme JS or exposed in public GitHub repos — allowing attackers to enumerate customer data or manipulate cart.
• Staff account compromise: Weak passwords and no MFA on staff accounts — giving attackers full admin access via credential stuffing.
• Abandoned app integrations: Apps that were uninstalled from Shopify but still have webhook access or retained customer data.

Admin and Staff Account Hardening

• Enable MFA for all staff accounts: In Shopify Admin → Settings → Users and permissions → require 2FA for all staff. This is the single highest-impact control.
• Assign minimum required permissions: Don't give all staff "full access." Define roles: marketing (products/content), support (orders/customers), developer (theme/code).
• Remove former staff immediately: In Settings → Users and permissions, delete accounts for anyone who has left. Revoke any API keys they created.
• Review staff IP access: If your Shopify plan supports IP allowlisting, restrict admin access to known office/VPN IPs.
• Use unique email per staff member: Shared email addresses make attribution and offboarding impossible.

# Staff account audit process (monthly)
1. Export staff list: Settings → Users and permissions
2. Cross-reference with current employee list
3. Remove accounts for departed staff
4. Confirm MFA is enabled on all remaining accounts
5. Review permission level for each role

App Permissions and API Keys

Every installed Shopify app is a potential attack vector. Overprivileged apps with access to customer PII and orders are the highest risk.

• Audit all installed apps monthly: Admin → Apps → review each app. Remove any you no longer use.
• Check app scopes: When installing new apps, reject any that request more permissions than their function requires.
• Revoke inactive Storefront API keys: Admin → Apps → Develop apps → review all private apps and Storefront API clients. Revoke any that are unused or unrecognized.
• Never commit API keys to Git: Storefront API tokens and Admin API keys must never appear in theme code pushed to a public repository.
• Rotate API keys after staff departures: Any developer who left may have retained private app API keys.

# Find exposed Storefront API tokens in theme
# Search your theme code for:
grep -r "storefront_access_token" . --include="*.js" --include="*.liquid"
grep -r "shpat_" . --include="*.js"  # Admin API token prefix
grep -r "shpss_" . --include="*.js"  # Storefront session token prefix

Checkout and Script Integrity

Checkout is the highest-value attack target. Magecart attacks inject skimming scripts that steal payment card data at checkout submission.

• Inventory all checkout scripts: Admin → Online Store → Themes → Edit code → search for <script> tags in checkout.liquid and theme.liquid.
• Verify every third-party script domain: Only allow scripts from vendors you can name and have a contractual relationship with. Remove unrecognized domains immediately.
• Check for script tag apps: Admin → Apps → Script tags. Any app adding scripts to checkout should be reviewed.
• Use Subresource Integrity (SRI): For scripts loaded from external CDNs, add integrity and crossorigin attributes to verify the script hash hasn't been tampered.
• Monitor checkout script changes: Use a file integrity tool or manually diff checkout.liquid before and after any app install.

<!-- SRI example for external checkout script -->
<script src="https://cdn.vendor.com/checkout.js"
        integrity="sha384-[hash]"
        crossorigin="anonymous"></script>

Security Headers for Shopify Storefronts

Shopify controls most HTTP response headers at the platform level, but you can influence some via theme configuration:

• Content-Security-Policy via meta tag: Add a <meta http-equiv="Content-Security-Policy"> tag in your theme <head> to restrict script/style sources. Note: meta CSP cannot use frame-ancestors or report-uri — those require HTTP headers.
• Verify Shopify's default headers: Run the Shopify security scanner to see which headers Shopify sets and which are missing on your storefront.
• Review iframe embedding: If you embed your store in other sites, verify X-Frame-Options settings to prevent clickjacking on checkout.

<!-- Add in theme.liquid <head> section -->
<meta http-equiv="Content-Security-Policy"
  content="default-src 'self' https://cdn.shopify.com https://checkout.shopify.com;
           script-src 'self' 'unsafe-inline' https://cdn.shopify.com https://www.googletagmanager.com;
           frame-ancestors 'self';">

Customer Data and GDPR Controls

• Review which apps have read_customers access. Revoke for any app that doesn't specifically need customer PII.
• Configure Shopify's customer data deletion: Admin → Settings → Customer privacy — enable data subject request handling.
• Ensure your cookie consent banner fires before any analytics scripts load. Use Shopify's Customer Privacy API for GDPR-compliant consent collection.
• Verify your privacy policy names all data processors (Shopify, apps, analytics platforms). Update when installing new apps.
• Review data retention: configure Shopify to delete customer data per your retention policy.

Monthly Shopify Security Review Checklist

# Monthly Shopify security review (30 minutes)
[ ] Remove unused apps from Admin > Apps
[ ] Revoke inactive Storefront API keys
[ ] Audit staff accounts — remove departed, confirm MFA on all
[ ] Review checkout scripts for unrecognized domains
[ ] Check app permission scopes — revoke unnecessary scopes
[ ] Review customer data access by apps
[ ] Run external security scan (AI QA Monkey Shopify scan)
[ ] Verify CSP meta tag is present in theme
[ ] Confirm cookie consent banner is GDPR-compliant
[ ] Check for new CVEs in apps you use (app changelog)

Frequently Asked Questions

Is Shopify PCI DSS compliant?

Shopify is PCI DSS Level 1 certified as a platform. However, your store is only PCI compliant if you also secure third-party apps, don't store card data, and follow the integration security requirements. See our PCI DSS compliance checklist.

How do Magecart attacks affect Shopify stores?

Magecart attacks inject JavaScript skimmers into checkout pages via compromised third-party apps or theme code. Shopify's checkout is sandboxed on Shopify Plus, but standard plans allow theme code on checkout. Audit all checkout scripts monthly and use SRI hashes for external scripts.

What scopes should I allow for Shopify apps?

Grant only what is necessary for the app's function. A marketing app needs products and content, not orders. A review app needs read_products but not write_customers. Review scope requests critically during app installation.

How do I find if my Shopify store has been compromised?

Signs include: unrecognized scripts in checkout, new staff accounts you didn't create, customer complaints about fraudulent charges after shopping at your store, and unusual admin activity logs. Run a Shopify security scan immediately if you suspect compromise.