FROM CACHE - en_header
Promotion image
Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

We're moving the community! Starting July 7, the current community will be read-only for approx. 2 weeks. You can browse content, but posting will be temporarily unavailable. Learn more

App must set security headers to protect against click jacking.

App must set security headers to protect against click jacking.

Balouchi
Excursionist
44 0 8
‎12-21-2021 11:10 PM

Hi there,

Recently I attempted to submit an alternative payment gateway to the shopify store and was almost immediately rejected with the following:

 

App must set security headers to protect against click jacking.
Your app must set the proper frame-ancestors content security policy directive to avoid click jacking attacks. The 'content-security-policy' header should set frame-ancestors https: //[shop]. myshopify.com https://admin.shopify.com, where [shop] is the shop domain the app is embedded on.

And I'm wondering - do these headers have to be present on the installation of the app?

Or are we expected to set them upon redirect to the app for the alternative payment gateway flow. Just wondering where in the order of operations these need to exist.

656 Views
1 Like
Report
Reply 1 (1)

1080
Shopify Partner
301 9 66
‎02-28-2023 05:12 AM

@Balouchi  have you fixed this issue ?

447 Views
1 Like
Report
Terms of Service Privacy Policy