How to secure public endpoints and rate‑limit custom apps?
Quick Answer
To secure Shopware public endpoints, you need to combine authentication, request validation, and rate limiting at both the Shopware and infrastructure level. Most attacks against custom apps are not sophisticated—they come from exposed API routes, missing IP restrictions, or endpoints that accept unlimited requests. The setup below covers how to protect custom Store API routes, admin integrations, webhook endpoints, and app backends without breaking legitimate traffic.
Before You Start
- ✦ Production server access — you’ll need access to Nginx, Apache, Cloudflare, or your load balancer to enforce request throttling properly
- ✦ Custom app or plugin routes — this setup only matters if your store exposes custom endpoints beyond standard Shopware APIs
- ✦ HTTPS enabled everywhere — rate limiting and token validation are pointless if requests travel over insecure connections
Audit exposed routes
Start by identifying every public-facing endpoint your Shopware setup exposes. Most stores focus on the storefront and completely forget webhook handlers, app callback URLs, or custom Store API extensions. Those are usually the weakest points. Look for routes that accept POST requests, file uploads, guest actions, or unauthenticated access. If an endpoint does not absolutely need public access, move it behind authentication immediately.
- List all custom plugin and app routes
- Check whether routes require authentication
- Disable or remove unused endpoints
Require signed requests
Every custom app endpoint should validate who sent the request. For Shopware apps, signed payload validation is the baseline. For custom integrations, use JWT tokens, HMAC signatures, API keys with expiration, or OAuth flows depending on the use case. Don’t rely on hidden URLs or random endpoint names. Bots discover those fast. Also validate timestamps to prevent replay attacks against webhook endpoints.
- Validate Shopware app signatures server-side
- Reject expired or malformed tokens
- Store secrets outside the repository
Apply infrastructure throttling
Rate limiting works best before requests reach PHP or Shopware. Put the limits at the CDN, reverse proxy, or web server layer first. Cloudflare, Fastly, Nginx, and HAProxy are all good options. Limit requests by IP, token, or endpoint path depending on traffic type. Product search APIs and login endpoints usually need stricter limits than storefront page views.
- Throttle login and password reset routes aggressively
- Separate limits for APIs and storefront traffic
- Return HTTP 429 responses when limits trigger
limit_req_zone $binary_remote_addr zone = api_limit : 10m rate = 10r / s;
server {
location / store - api / { limit_req zone = api_limit burst = 20 nodelay; }
}Validate request payloads
Never trust incoming data even if the request comes from your own frontend. Validate payload structure, allowed fields, file types, and request size limits. This matters a lot for custom forms, search endpoints, and app webhooks. A single poorly validated endpoint can consume database resources fast enough to slow down the entire store during peak traffic.
- Reject unexpected request parameters
- Set upload and body size limits
- Sanitize user-controlled values before queries
Monitor and block abuse
Security is not a one-time setup. Watch logs for spikes in failed requests, unusual API usage, or repeated access from the same IP ranges. Good monitoring catches scraping bots and brute-force attempts before customers notice slowdowns. Set alerts for abnormal request rates and make sure your team can temporarily block abusive traffic without deploying code changes.
- Track 401, 403, and 429 response spikes
- Enable firewall or CDN blocking rules
- Review logs after every app deployment
Shopware Security Checklist
0 of 7 completeMistakes Most Developers Make
! Trusting frontend validation
What happens: Attackers bypass the storefront entirely and hit the endpoint directly with malformed payloads.
Fix: Validate and sanitize every request server-side even if the frontend already checks it.
! Using global API limits
What happens: Legitimate shoppers get blocked during traffic spikes because all endpoints share the same threshold.
Fix: Create separate rate policies for login, search, webhooks, and storefront browsing.
! Leaving debug endpoints enabled
What happens: Test routes expose stack traces, database information, or internal app logic publicly.
Fix: Remove development routes completely during deployment instead of hiding them behind obscure URLs.
Key Takeaway
The short version: secure Shopware endpoints in layers instead of relying on a single protection method. Signed requests, infrastructure-level throttling, payload validation, and monitoring all work together. Most stores already have HTTPS and authentication but completely miss rate limiting and abuse detection. Your highest-risk endpoints are usually custom integrations and webhook handlers—not the storefront itself. Start with Step 3—that one alone handles most of it.
Related Answers
Was this answer helpful?
Your feedback helps us improve our answers.
Still need help?
Talk to our Shopware experts
We've handled GDPR/CCPA compliance for dozens of EU & US Shopware stores.