The 27 Shopify security checks Black Cat runs
Black Cat SSPM evaluates 27 security policies against your Shopify configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Reduce the number of full-access staff accounts to the minimum necessary
Apply least-privilege permissions to staff accounts instead of granting full store access
Remove unnecessary write permissions from custom app API scopes
Remove write_payment_gateways scope from the custom app to prevent unauthorized payment rerouting
Remove write_themes scope unless the app is an authorized theme management tool
Remove write_script_tags scope to prevent unauthorized script injection on checkout pages
Remove write_price_rules scope if the app does not require discount code management
Remove write_inventory scope if the app does not require inventory management
Assign explicit permissions to staff accounts or remove accounts with no assigned role
Remove write_fulfillments scope if the app does not manage order fulfillment
Remove unauthenticated_write_checkouts scope to prevent unauthorized checkout creation
Enable two-factor authentication for all admin-level staff accounts immediately
Remove the read_all_orders scope if the app does not need access to the full order history
Remove the write_draft_orders scope if the app does not need to create draft orders
Remove the write_order_edits scope if the app does not need to modify existing orders
Remove the write_users scope if the app does not need to manage staff accounts
configuration
Switch webhook format from XML to JSON for stronger HMAC signature verification
Complete the Shopify store setup to ensure all security features are active
data leakage
Enable storefront password protection to prevent public access to the store during setup
Update webhook destination URLs to use HTTPS to protect data in transit
Verify and document all external webhook destinations are authorized and expected
Remove unauthenticated customer read scopes to prevent PII exposure without authentication
Remove the combination of write_customers and payment read scopes to eliminate data-harvesting risk
mfa
Enable two-factor authentication for the flagged Shopify staff member
Enable two-factor authentication on the store owner account
network security
Update the webhook destination to a valid public HTTPS endpoint
sharing
Verify that webhooks subscribed to customer data events send PII to secure, authorized destinations