ShieldScan

How ShieldScan works

A complete guide to understanding your security scan, interpreting findings, and keeping your Shopify store protected.

Getting started

01

Install ShieldScan

Install ShieldScan from the Shopify App Store. During installation you grant read-only permissions — ShieldScan never requests write access and can never modify your store.

02

Run your first scan

Click Scan Now on the dashboard. ShieldScan connects to your store, runs all 10 security checks in parallel, and returns a full report — typically in 15–45 seconds.

03

Read your score & grade

Your store is graded A–F and scored out of 100. Each critical finding costs 30 points, high costs 20, medium 10, and low 5. A score of 95+ earns an A.

04

Review findings

Every finding includes a severity label, a plain-English description of the risk, the potential business impact, and step-by-step remediation instructions.

05

Fix issues & re-scan

Work through the findings from highest severity down. Once you've applied a fix, re-scan to confirm the issue is resolved and watch your score improve.

06

Scan regularly

New apps, theme updates, and staff changes can introduce risks. Pro users get email alerts on new critical findings. Business users get automatic daily scans.

Understanding severity levels

Every finding is assigned a severity so you know what to prioritise.

CRITICAL

Immediate action required. Malware, exposed payment credentials, or known attack patterns that actively threaten customers right now.

HIGH

Resolve within 24–48 hours. Significant vulnerabilities that create real risk if exploited, such as missing GDPR webhooks or insecure script tags.

MEDIUM

Address within your next maintenance window. Issues that increase attack surface but require additional conditions to exploit.

LOW

Good-to-fix improvements. Minor hygiene issues, best-practice gaps, or low-probability risks.

INFO

Informational only. No action required — context about your store configuration.

How your score is calculated

Every store starts with a perfect score of 100. Points are deducted for each real finding:

Critical−30 pts
High−20 pts
Medium−10 pts
Low−5 pts
A95–100 points
B80–94 points
C65–79 points
D50–64 points
F0–49 points

The 10 security checks

What each check does and why it matters for your store.

🏪Store configuration#01
WhatFetches basic store info — plan, domain, and shop name — to confirm the scan has full API access.
WhyA partial API connection means other checks may return incomplete results. This check validates the foundation.
🎨Theme library#02
WhatCounts all themes in your store and flags if more than 5 unpublished or development themes exist.
WhyAbandoned themes can harbour outdated JavaScript libraries or injected tracking scripts that are easy to miss. Attackers with compromised credentials can push malicious code to a dormant theme undetected.
🔎Theme code security#03
WhatScans your active theme's layout/theme.liquid for eval(), non-HTTPS script sources, form actions pointing to external domains, known malware domains, and suspicious base64 blobs.
WhyYour live theme runs on every customer page. A single injected line of malicious JavaScript can silently steal payment card data on checkout — this is how Magecart attacks work.
🔑App permissions#04
WhatLists all OAuth scopes ShieldScan was granted and flags any write_ scopes.
WhyA security auditing tool should only need read access. Over-permissioned apps are a bigger blast radius if their access token is compromised.
📜Injected scripts#05
WhatAudits all script tags injected by apps into your storefront. Flags HTTP (non-HTTPS) sources, high volume (>10 scripts), and domains not on ShieldScan's trusted-provider list.
WhyEvery third-party script is a supply-chain trust decision. Scripts loaded over HTTP can be swapped out mid-transit by an attacker. A compromised script provider can affect your store without you changing anything.
🌐Storefront access#06
WhatChecks whether your storefront is protected by a password page.
WhyPre-launch stores with no password protection may expose unreleased products, pricing, or inventory to competitors.
🛡️HTTP security headers#07
WhatSends a HEAD request to your storefront and checks for six headers: HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
WhySecurity headers are a browser-enforced line of defence. A missing CSP makes XSS attacks far more effective; missing HSTS allows protocol downgrade attacks; missing X-Frame-Options enables clickjacking.
⚖️GDPR compliance webhooks#08
WhatVerifies that the three required GDPR mandatory webhooks are registered: customers/data_request, customers/redact, and shop/redact.
WhyShopify requires all apps to respond to GDPR data subject requests within 30 days. Missing webhooks means you can't receive erasure requests — creating legal exposure and risk of App Store removal.
🦠Deep virus scan#09
WhatFetches up to 20 JavaScript files and 10 Liquid files from your active theme and scans each for 9 malware signatures: base64 obfuscation, char-code tricks, dynamic Function(), eval(), cookie exfiltration, keyloggers, external iframes, document.write injections, and crypto-mining APIs.
WhyMalware in theme files operates invisibly. Customers see no sign anything is wrong while their payment data is being streamed to an attacker's server on every checkout.
🗝️API keys & secrets scan#10
WhatScans up to 40 JS, Liquid, and JSON theme files against 17 secret patterns — including Stripe live keys, Shopify admin tokens, AWS access keys, Google API keys, SendGrid, Mailchimp, Twilio, GitHub tokens, RSA/EC private keys, JWTs, and database connection strings.
WhyHardcoded secrets in theme files are visible to anyone with theme editor access — ex-developers, compromised accounts, or leaked backups. A stolen Stripe key can drain your revenue; an AWS key can give full cloud control.

Plan comparison

Free

$0

  • Full 10-check scan
  • First 3 findings visible
  • Security score & grade

Pro

$19/mo

  • All findings + remediation
  • Deep virus scan
  • API secrets scanner
  • Email alerts
  • 7-day free trial

Business

$49/mo

  • Everything in Pro
  • Daily auto-scans
  • Score trend history
  • 365-day history
  • Priority support

Ready to scan your store?

Install ShieldScan from the Shopify App Store and run your first scan in under a minute. Free forever — no credit card required.

Install ShieldScan — Free
© 2026 ShieldScan · Home · Support · Privacy Policy