FROM CACHE - en_header
Promotion image

App must set security headers to protect against clickjacking

App must set security headers to protect against clickjacking

Shehan_Jay
Shopify Partner
6 0 2
‎03-02-2022 05:28 PM

Hello everyone!

We're trying to submit our sales channel app which is embedded on the Shopify admin dashboard and we keep failing automatic checks due to the following error

  1. App must set security headers to protect against clickjacking.
    Your app must set the proper frame-ancestors content security policy directive to avoid clickjacking attacks. The 'content-security-policy' header should set frame-ancestors https://[shop].myshopify.com https://admin.shopify.com, where [shop] is the shop domain the app is embedded on.

A bit about our architecture:

Our frontend is powered by an SPA (react), served by AWS Cloud-front and hosted on S3. It talks to a separate backend via a rest API.

At which point do we add these headers? We've tried adding them on the backend api responses but we still fail automatic checks. 

If anyone has been through a similar situation and resolved this issue your help would be greatly appreciated!

Thanks.

254 Views
0 Likes
Report
Replies 0 (0)

Community Blog Articles

shopp-e-1741972742895593780274096851.png
Verification requirement deadline fast approaching for Shopify Payments Can...

In Canada, payment processors, like those that provide payment processing services t...

By Jacqui Mar 14, 2025
Shopify_0-1741780029041.png
New learning path from Shopify Academy: How to create a digital marketing s...

Unlock the potential of marketing on your business growth with Shopify Academy's late...

By Shopify Mar 12, 2025
CRO-Community-Promo.jpg
Expert insights on conversion rate optimization (CRO) from Shopify Academy ...

Learn how to increase conversion rates in every stage of the customer journey by enroll...

By Shopify Mar 5, 2025
Terms of Service Privacy Policy