Solving Shopify CORS Errors with App Proxy and Secure PHP API Integration

Overview

A merchant operating multiple Shopify storefronts needed a reliable way to validate customer emails before activating accounts. They were using a custom PHP script triggered from a Shopify theme, but recent security changes by Shopify caused the solution to break. I was brought in to rebuild the integration using a secure and scalable approach that works across stores—without exposing sensitive data or depending on deprecated methods.

The Challenge

The original system relied on client-side JavaScript calling a remote PHP script using fetch(). This script queried Shopify’s Admin API to check if a customer existed, but it broke due to:

• CORS errors: Shopify's frontend environment blocked the cross-origin requests.
• Security risks: Shopify tokens were passed via custom headers, visible in browser dev tools.
• Lack of multi-store support: The script couldn’t dynamically route requests to the right store’s API token.

This created friction for new customers trying to activate their accounts and posed a security liability for the merchant.

Solution Design

To rebuild the system, I leveraged Shopify’s built-in App Proxy mechanism, which allows authenticated server-side routing of theme-based requests to a secure external endpoint. This method:

• Prevents CORS errors by avoiding browser-based cross-origin calls.
• Hides sensitive tokens from the frontend.
• Scales easily across multiple Shopify stores.

I also rewrote both the frontend and backend logic to improve robustness and maintainability.

Key Updates

• Registered an App Proxy that routes storefront requests to https://api.example.com/shopify/customer-activate.php.
• Modified frontend logic: Created a new getCustomerData() JavaScript function that sends POST requests with the customer’s email securely in the body.
• Removed insecure headers: Eliminated the use of custom HTTP headers that exposed tokens.
• Enhanced PHP script:
  • Accepts JSON input.
  • Detects which store made the request using a Shopify-Site header.
  • Matches the correct API token dynamically.
  • Improved error handling and made it compatible with PHP 7.2.

Technical Highlights

• Secure server-side routing through Shopify App Proxy.
• Theme code isolation using a dedicated function for activation logic in account-activation.liquid.
• Improved server compatibility by rewriting parts of the legacy PHP code.
• Multi-store detection and token assignment based on request headers.

Tech Stack

Results

• CORS issues resolved: The system now works natively within Shopify themes.
• Sensitive data protected: Tokens and internal logic are hidden from the public.
• Multi-store support enabled: The system handles customer activation from multiple Shopify stores seamlessly.
• Better customer experience: Error handling improvements give users clear feedback when activation fails.

Why It Matters to eCommerce Managers

For eCommerce managers, especially those managing wholesale workflows or multi-brand Shopify instances, this case is a reminder of how platform-level security updates can disrupt key flows.

By rebuilding this activation system to use secure, Shopify-approved methods:

• Customer onboarding became seamless again
• Technical debt was eliminated
• Maintenance overhead was reduced

And most importantly, customer trust and operational continuity were preserved.