Focuses on API authentication, access scopes, and permission management.
Hi there,
it's a quite common problem as I see, but it seems there's still no reliable solution. I submit the app to the review and keep getting the rejection:
App must set security headers to protect against clickjacking.
Your app must set the proper frame-ancestors content security policy directive to avoid clickjacking attacks. The 'content-security-policy' header should set frame-ancestors https://[shop].myshopify.com https://admin.shopify.com, where [shop] is the shop domain the app is embedded on.
I tried everything from here, carefully debugged with this doc. Even tried to find the problem with requests header logging during the review.
I develop embedded app with nodejs template from the docs.
Set this in middleware, but no effect.
ctx.set('Content-Security-Policy', `frame-ancestors https://shop-from-request.myshopify.com https://admin.shopify.com;`);
It would be interesting to see header logs from approved app, or maybe you can share working template that approves.
Do you use the shop from saved one in cookies, or only JUST from ctx.query.shop from the middleware ctx?
Any help would be very appreciated. Hope Shopify will notice and will give more details about such review rejections.
Hi there, Did you found the solution, we are also having the same issue.