Skip to content

The 27 Shopify security checks Black Cat runs

Black Cat SSPM evaluates 27 security policies against your Shopify configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

mediumExcessive Admins

Reduce the number of full-access staff accounts to the minimum necessary

mediumStaff Unrestricted Permissions

Apply least-privilege permissions to staff accounts instead of granting full store access

mediumExcessive API Scopes

Remove unnecessary write permissions from custom app API scopes

highWrite Payment Gateways Scope

Remove write_payment_gateways scope from the custom app to prevent unauthorized payment rerouting

highWrite Themes Scope

Remove write_themes scope unless the app is an authorized theme management tool

highWrite Script Tags Scope

Remove write_script_tags scope to prevent unauthorized script injection on checkout pages

mediumWrite Price Rules Scope

Remove write_price_rules scope if the app does not require discount code management

mediumWrite Inventory Scope

Remove write_inventory scope if the app does not require inventory management

mediumStaff No Permissions

Assign explicit permissions to staff accounts or remove accounts with no assigned role

mediumWrite Fulfillments Scope

Remove write_fulfillments scope if the app does not manage order fulfillment

highUnauthenticated Write Checkouts Scope

Remove unauthenticated_write_checkouts scope to prevent unauthorized checkout creation

criticalAdmin Staff MFA Disabled

Enable two-factor authentication for all admin-level staff accounts immediately

highRead All Orders Scope

Remove the read_all_orders scope if the app does not need access to the full order history

mediumWrite Draft Orders Scope

Remove the write_draft_orders scope if the app does not need to create draft orders

highWrite Order Edits Scope

Remove the write_order_edits scope if the app does not need to modify existing orders

highWrite Users Scope

Remove the write_users scope if the app does not need to manage staff accounts

configuration

lowWebhook XML Format

Switch webhook format from XML to JSON for stronger HMAC signature verification

lowStore Setup Required

Complete the Shopify store setup to ensure all security features are active

data leakage

mediumPassword Protection Disabled

Enable storefront password protection to prevent public access to the store during setup

highWebhook Using HTTP

Update webhook destination URLs to use HTTPS to protect data in transit

lowWebhook External Destination

Verify and document all external webhook destinations are authorized and expected

highUnauthenticated Read Customers Scope

Remove unauthenticated customer read scopes to prevent PII exposure without authentication

highWrite Customers Read Payment Scope

Remove the combination of write_customers and payment read scopes to eliminate data-harvesting risk

mfa

highStaff MFA Disabled

Enable two-factor authentication for the flagged Shopify staff member

criticalAccount Owner MFA Disabled

Enable two-factor authentication on the store owner account

network security

mediumWebhook Private Destination

Update the webhook destination to a valid public HTTPS endpoint

sharing

mediumWebhook Customer Data Topic

Verify that webhooks subscribed to customer data events send PII to secure, authorized destinations

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial