Shopify Functions for Fraud Filter — How They Work in 2026

The fraud-filter category on Shopify changed fundamentally when Shopify Functions launched. Before Functions, the only way to enforce checkout rules was client-side JavaScript — easy to bypass by disabling JS or modifying the DOM. After Functions, checkout rules run on Shopify's own infrastructure, written in Rust/WebAssembly, and cannot be bypassed from the browser.

This guide is the technical explainer of how that works and why merchants should care.

What are Shopify Functions?

Shopify Functions are server-side code modules that extend Shopify's checkout, discounts, delivery, and payment-method logic. They:

• Run on Shopify's edge infrastructure (not your storefront)
• Execute in <5ms typically
• Are compiled to WebAssembly for sandbox safety
• Can be written by app developers (like Shieldy) or merchants directly

For fraud filtering specifically, Functions enable server-side checkout validation: an order is built, the Function evaluates it, and Shopify only allows payment if the Function approves.

Architecture before vs after Functions

Before (legacy):

Browser → Shopify checkout JS → Submits payment

Fraud filter apps had to inject JavaScript into the storefront. Determined attackers disabled JS, modified the DOM, or used direct API calls to bypass.

After (Shopify Functions):

Browser → Shopify checkout → Functions API (server-side)
                                ↓
                          Fraud filter Function
                                ↓
                  Approve / Reject / Add validation

The Function runs inside Shopify's infrastructure before payment authorization. The browser cannot see or modify it.

What can a fraud Function do?

The cart-validation Function can:

• Inspect the buyer's IP, country, ISP at request time
• Read order line items, total, shipping/billing address
• Check email pattern against blocklists
• Validate phone, name, customer tags
• Look up external risk-score services (with rate limits)
• Reject the order with a custom error message
• Apply additional validation requirements

What it cannot do:

• Modify the order itself (Functions are read-only on order data)
• Block the storefront (that requires Online Store 2.0 sections)
• Persist state between executions (stateless by design)
• Run for more than 5ms (hard runtime limit)

How Shieldy uses Shopify Functions

Shieldy's fraud filter integrates at three Shopify Function hook points:

1. Cart validation — runs when buyer reaches checkout. Rejects with custom error if IP / country / email / address matches a block rule.
2. Delivery customization — hides shipping methods to blocked regions.
3. Payment customization — blocks specific payment methods for high-risk orders (e.g. requires PayPal over credit card for VPN-flagged buyers).

Each hook is a separate Function, registered when the app is installed.

Performance

Functions execute at Shopify's edge:

• Network latency: <50ms (same datacenter as the buyer's nearest Shopify POP)
• Function runtime: <5ms (Shieldy averages 1-2ms)
• Total added checkout time: <55ms total

No measurable impact on conversion rate.

Why this matters for merchants

The practical difference:

The unbypassable enforcement is the big upgrade. A determined fraudster who knew how to disable JS could previously walk through any blocker. Now they cannot.

Functions vs Shopify Flow

These are different tools:

• Functions — synchronous, runs during checkout, can reject the order before payment.
• Flow — asynchronous, runs after order creation, can cancel/refund but not prevent the order.

Both are useful. Shieldy uses Functions for pre-payment prevention and integrates with Flow for post-payment automation (notifications, fulfillment delays).

What if I am on Shopify Plus?

Plus merchants get additional Function hooks:

• Order routing — split shipments based on risk score
• Custom checkout extensions — add fraud-specific UI inside the checkout itself
• B2B-specific Functions — different rules for wholesale buyers

Shieldy's Shopify Plus plan ($16.99/mo) unlocks all of these.

Limitations to be aware of

5ms runtime limit. Functions cannot do heavy lookups. They can call external APIs but must return within budget. Shieldy mitigates this by pre-fetching IP intelligence into a local cache that the Function reads in <1ms.

Read-only on order data. A Function cannot modify the cart — only validate or reject. For modifications (auto-apply discounts, change line items), use Shopify Flow or a webhook.

Per-shop installation. Each merchant installs the app and accepts Function registration. There is no global Function — every shop owns its own instance.

Function deployment is gated. Shopify reviews Functions before they go live. Updates take 24-48 hours to roll out.

Building your own Function

Technically possible if you have engineering capacity:

1. Shopify CLI: shopify app generate extension
2. Choose Cart validation Function.
3. Write logic in Rust, JavaScript, or Wasm-compatible languages.
4. Deploy via shopify app deploy.

In practice, most merchants do not build Functions themselves because:

• IP intelligence requires a database (cost of maintenance)
• Network proxy detection requires constant feed updates
• Behavioural fingerprinting is non-trivial
• A pre-built app like Shieldy handles all of this for $4.99-$16.99/mo

For merchants with engineering teams who want full control, building is viable.

How to verify a fraud app uses Shopify Functions

Some apps still rely on legacy JavaScript-only approaches. Verify before installing:

1. Check the app listing — Shopify badges "Uses Shopify Functions" or "Checkout extensibility" certified.
2. Read the privacy and permissions screen — Function-based apps request Function-specific scopes.
3. Look for explicit "server-side blocking" or "Shopify Functions" in product copy.

Shieldy is built entirely on Shopify Functions.

Frequently asked questions

Does my theme need to be Online Store 2.0 for Functions?

For checkout-related Functions, the store needs Checkout Extensibility (default for new stores; existing stores migrate via Shopify CLI). For other Functions, OS 2.0 is not strictly required.

Do Functions work with all checkout flows?

Yes — standard checkout, Shop Pay, Apple Pay, Google Pay, B2B, and Plus checkout.

Can I see Function logs?

Yes. Shopify admin → Apps → [your app] → Functions tab shows recent runs, errors, and execution time.

Are Functions GDPR-compliant?

Yes. Function execution happens in Shopify's own infrastructure, governed by Shopify's data protection terms.

What happens if a Function errors?

Shopify falls back to allowing the order (fail-open). Shieldy reports the error to its dashboard so you can fix it.

Wrapping up

Shopify Functions are the foundation of modern fraud prevention on Shopify. Apps built on them (like Shieldy) provide unbypassable, low-latency, native checkout protection. Apps without them are still using legacy JavaScript that determined fraudsters can defeat. Choose accordingly.

Install Shieldy free → · See pricing →