How to fix passive scan only on Shopify

Steps for Shopify

1. Shopify's production infrastructure is managed by Shopify — you cannot run DAST against Shopify's shared servers. Focus active testing on any custom apps, custom storefronts (Hydrogen/Storefront API), or third-party integrations you own.
2. For custom Shopify apps or Hydrogen storefronts: deploy a staging version to a separate Shopify development store or a staging server (e.g. Vercel preview URL).
3. Point OWASP ZAP (downloadable from zaproxy.org) at your development-store or staging URL. Enable 'Ajax Spider' for JavaScript-rendered pages common in Headless/Hydrogen setups.
4. In ZAP, add an 'HTTP Session' with a logged-in test-customer cookie to scan authenticated checkout and account flows.
5. Review ZAP's Alerts panel; remediate High/Medium findings in your custom app code before submitting to the Shopify App Store or pushing to production.
6. For the hosted Shopify theme layer, rely on Shopify's own security programme and focus your DAST budget on custom code you control.

What is passive scan only?

Automated security scanners that check your live store passively — inspecting HTTP headers, TLS certificates, cookies, and DNS records — can only see what is publicly visible without logging in or submitting forms. They cannot detect deeper vulnerabilities like SQL injection, broken authentication, insecure API endpoints, or business-logic flaws. Dynamic Application Security Testing (DAST) tools, such as OWASP ZAP, actively probe a running copy of your application the way a real attacker would — sending crafted requests, testing login flows, and fuzzing inputs — to surface vulnerabilities a passive scan will never find. Running DAST against a staging environment (never your live store) gives you a much more complete security picture before code reaches customers.

Security misconfigurations and undetected vulnerabilities are the #5 risk on the OWASP Top Ten and are a leading cause of data breaches in ecommerce — exposing customer payment data, personal information, and admin credentials. A breach can result in PCI-DSS non-compliance fines, chargebacks, loss of payment-processor accounts, and severe reputational damage that directly destroys revenue. Relying solely on passive header checks leaves entire attack surfaces — checkout flows, account login, coupon logic, admin APIs — completely untested. Adding even a basic DAST scan to your pre-release checklist dramatically reduces the chance of shipping a critical vulnerability to production.

See the complete Passive scan only guide for every platform and the full background.