CommerceGov security model and controls.
Landing, app, API, and webhook traffic are isolated by subdomain. Each domain serves only its intended purpose.
All incoming Shopify webhooks are verified using HMAC-SHA256 before processing.
Webhook and command processing includes idempotency and replay safeguards.
Mutations are applied through dedicated worker jobs, not inline request handling. No direct writeback from API requests.
Global and per-shop freeze controls allow operators to halt all writeback immediately.