430 Security Rejection
The HTTP 430 Security Rejection status code is an unofficial client error specific to Shopify, returned when the platform determines a request is potentially malicious and rejects the connection to protect the application.
Usage
Shopify returns 430 when its security infrastructure flags a request as suspicious. The evaluation uses IP-based heuristics operating at the platform level, independent of individual API keys or store configurations. A request flagged as potentially harmful receives an immediate rejection before reaching the application layer.
Common triggers include requests originating from IP addresses associated with prior abuse, cloud hosting providers sharing IP pools across tenants, automated traffic patterns resembling scraping or credential stuffing, and requests missing expected browser fingerprints.
The security evaluation is global. Applications running on shared cloud infrastructure (Google Cloud Run, AWS Lambda, Heroku) are more likely to encounter 430 errors because unrelated tenants share outbound IP ranges. A single bad actor on a shared IP address affects all tenants using the address.
Note
In the IETF draft specification, HTTP response 430 was originally reserved for Request Header Fields Too Large. The final specification assigned the code to status 431. In another IETF draft, a 430 Block status was proposed to address head-of-line blocking in HTTP/1.1 pipelining. With the introduction of HTTP/2, the problem was solved and the 430 Block status code was never finalized.
Note
Shopify previously used 430 as a rate-limiting code ("Too many API calls"), equivalent to 429. This meaning is deprecated. Shopify repurposed 430 for security rejections and now uses 429 for rate limiting.
SEO impact
Search engines like Google will not index a URL with 430 response status, and consequently, URLs indexed in the past returning this HTTP status code will be removed from search results.
Example
A client sends an API request from a shared cloud IP address. Shopify's security layer flags the source IP and rejects the request with 430.
Request
GET /admin/api/products.json HTTP/1.1
Host: store.example.re
X-Shopify-Access-Token: shpat_xxxxxxxxxxxx
Response
HTTP/1.1 430 Security Rejection
Content-Type: application/json
Retry-After: 2
{"errors":"Security rejection"}
How to fix
Switch the application to a static outbound IP address. Shared cloud platforms rotate IPs across tenants, and a single flagged tenant poisons the pool for all others. A NAT gateway, static IP proxy, or dedicated egress IP eliminates this contamination.
Verify the request includes standard headers a legitimate client sends: User-Agent, Accept, and Accept-Language. Bare requests missing these headers are more likely to be flagged as automated.
Space API calls at reasonable intervals. Rapid bursts of requests from a single IP resemble attack traffic. Implement exponential backoff when receiving 430 responses, starting at two seconds between retries.
Check the Retry-After header when present. The header indicates how long to wait before the next attempt.
Contact Shopify support if the problem persists after switching to a static IP. Shopify maintains an internal allowlist and support teams are able to investigate IP-level blocks.
Review the application for behaviors triggering bot-detection heuristics: high request volumes from a single IP, identical request patterns, missing or rotating User-Agent strings, and connections from known data center IP ranges.
Takeaway
The 430 Security Rejection status code is an unofficial client error returned when Shopify flags a request as potentially malicious. The evaluation operates at the IP level using platform-wide heuristics. Applications on shared cloud infrastructure are most commonly affected.
