Skip to main content

Solving Shopify CORS Errors with App Proxy and Secure PHP API Integration

Overview

A merchant operating multiple Shopify storefronts needed a reliable way to validate customer emails before activating accounts. They were using a custom PHP script triggered from a Shopify theme, but recent security changes by Shopify caused the solution to break. I was brought in to rebuild the integration using a secure and scalable approach that works across stores—without exposing sensitive data or depending on deprecated methods.

The Challenge

The original system relied on client-side JavaScript calling a remote PHP script using fetch(). This script queried Shopify’s Admin API to check if a customer existed, but it broke due to:

  • CORS errors: Shopify's frontend environment blocked the cross-origin requests.
  • Security risks: Shopify tokens were passed via custom headers, visible in browser dev tools.
  • Lack of multi-store support: The script couldn’t dynamically route requests to the right store’s API token.

This created friction for new customers trying to activate their accounts and posed a security liability for the merchant.

Solution Design

To rebuild the system, I leveraged Shopify’s built-in App Proxy mechanism, which allows authenticated server-side routing of theme-based requests to a secure external endpoint. This method:

  • Prevents CORS errors by avoiding browser-based cross-origin calls.
  • Hides sensitive tokens from the frontend.
  • Scales easily across multiple Shopify stores.

I also rewrote both the frontend and backend logic to improve robustness and maintainability.

Key Updates

  • Registered an App Proxy that routes storefront requests to https://api.example.com/shopify/customer-activate.php.
  • Modified frontend logic: Created a new getCustomerData() JavaScript function that sends POST requests with the customer’s email securely in the body.
  • Removed insecure headers: Eliminated the use of custom HTTP headers that exposed tokens.
  • Enhanced PHP script:
    • Accepts JSON input.
    • Detects which store made the request using a Shopify-Site header.
    • Matches the correct API token dynamically.
    • Improved error handling and made it compatible with PHP 7.2.

Technical Highlights

  • Secure server-side routing through Shopify App Proxy.
  • Theme code isolation using a dedicated function for activation logic in account-activation.liquid.
  • Improved server compatibility by rewriting parts of the legacy PHP code.
  • Multi-store detection and token assignment based on request headers.

Tech Stack

Component Purpose
Shopify (Liquid, Admin API) Shopify integration
PHP 7.2+ Backend scripting
REST APIs API communication
JavaScript (Fetch API) Frontend logic
Remote Hosting (e.g., api.example.com) Hosting

Results

  • CORS issues resolved: The system now works natively within Shopify themes.
  • Sensitive data protected: Tokens and internal logic are hidden from the public.
  • Multi-store support enabled: The system handles customer activation from multiple Shopify stores seamlessly.
  • Better customer experience: Error handling improvements give users clear feedback when activation fails.

Why It Matters to eCommerce Managers

For eCommerce managers, especially those managing wholesale workflows or multi-brand Shopify instances, this case is a reminder of how platform-level security updates can disrupt key flows.

By rebuilding this activation system to use secure, Shopify-approved methods:

  • Customer onboarding became seamless again
  • Technical debt was eliminated
  • Maintenance overhead was reduced

And most importantly, customer trust and operational continuity were preserved.