Server-side price validation (safety feature)

Written By Floris de Vries

Last updated About 2 hours ago

The Server-side price validation setting is the central safety switch that decides whether prices coming from the storefront calculator are verified by Shopify’s cart engine and the app server before they are accepted on the cart, the bundle expansion, and the draft order.

This setting lives on the global Theme settings page under Price settings, next to Show currency with prices.

What this setting does

Every product page using the calculator writes the calculated price to a line item property called __ooCustomPrice. The cart bundle function and the draft-order checkout flow can either:

  • Trust that __ooCustomPrice value directly, or

  • Verify it server-side against a signed token (__ooLiteSig) and a payload hash (__ooPayloadHash) that were generated by the app server when the page was rendered.

The toggle controls which behaviour is used.

When the setting is OFF (default)

  • The cart bundle function and draft order use __ooCustomPrice as the unit price as-is.

  • No signature check is performed.

  • Setup is simpler and there is nothing extra to deploy.

  • Risk: A technical visitor can in theory edit the price on the storefront with browser tooling before it is submitted to the cart. The manipulated price would then end up in the order.

This is the default for new shops and for any shop that has not explicitly opened the Theme settings page and pressed Save on the safety toggle.

When the setting is ON

  • Each calculator line is expected to carry a server-issued signature (__ooLiteSig), the original payload hash (__ooPayloadHash), and the originally quoted price (__ooQuotedPrice).

  • The Shopify cart bundle function recomputes the signature using the shop’s pricing keys and rejects the line if the signature is invalid or the price was changed.

  • The draft-order proxy applies the same check before the order is created.

  • If verification fails, the bundle function returns no expand operations for that line, which protects you from manipulated prices entering the order.

How to turn it on

  1. Open the app and go to Settings.

  2. Scroll down to Price settings.

  3. Tick Enable server-side price validation (safety feature).

  4. Click Save.

You can reach the section directly via the Safety rules step in the dashboard setup guide.

Important behaviour

  • The setting is global. It applies to every calculator and every product page in the shop.

  • The setting is intentionally controlled only on the server. There is no line item property on the storefront that can be used to disable it client-side.

  • For shops that have never opened or saved the Theme settings page, the value is treated as OFF by both the cart bundle function and the draft-order checkout, even if other settings exist.

  • Pricing verification keys are managed automatically by the app. You do not need to copy or rotate them by hand.

Recommendation

For most stores we recommend turning Server-side price validation on once your calculator has been tested end-to-end. It removes an entire class of price-tampering risk and adds no measurable delay for normal shoppers.

Keep it off only if you understand the trade-off and your store does not need that extra safety layer.