Skip to content
Search Articles/

less than a minute read • Updated 2 hours ago

Product security overview

What HMAC product validation is, when to use it, and the different ways to implement it.

Foxy’s HMAC product validation is a cryptographic method to prevent customers from tampering with your add-to-cart links and forms — for example, modifying a product’s price, code, or category before submitting to the cart.

Do you need it?

Without HMAC validation enabled, product parameters in your links and forms are visible and modifiable by anyone with basic web knowledge. Whether that’s a problem depends on your situation:

  • Low volume stores often manage risk by manually reviewing orders before fulfilment.

  • Higher volume stores may verify orders automatically by comparing transaction data against their database via the Foxy API.

  • Any store that wants to prevent spoofed orders at the point of submission should implement HMAC validation.

If you’re concerned about price or product spoofing, HMAC validation is the most robust solution.

How it works

When HMAC validation is enabled, Foxy requires every product parameter in your links and forms to be cryptographically signed using your store’s API key. Unsigned or tampered values are rejected before the product is added to the cart.

Signing is all or nothing — if validation is enabled, every parameter on every add-to-cart link and form must be signed. See HMAC excluded parameters reference for the small number of parameters that are exempt.

Implementation options

There are three ways to implement HMAC signing:

PHP auto-sign library — the recommended approach for most stores. A PHP script automatically signs all links and forms on an entire HTML page, making it straightforward to add to an existing site or CMS. See Sign product forms with HMAC and Sign product links with HMAC.

Manual admin tool — for static sites or one-off forms. Paste your link or form into the Foxy admin and it returns a signed version. See Use the admin tool to sign products with HMAC.

Custom implementation — sign parameters yourself in any language using HMAC SHA-256. See Sign product forms with HMAC and Sign product links with HMAC for implementation details.

Notes

  • HMAC validation must be enabled in your store settings before signed links and forms will be validated. See Enable HMAC product validation.

  • A code value is required on every product. Without it there is nothing to tie signed parameters to a specific product.

  • Validation prevents tampering with existing parameters and blocks the addition of unsigned parameters, but it does not prevent a user from removing a parameter. If you use price modifiers, set the base price at the upper limit and adjust downward rather than upward.

Need Help?

Did this article answer your questions? Need help with anything? Please click below to contact us.