FROM CACHE - en_header
Promotion image

Laravel app rejection in shopify with osiset package

Laravel app rejection in shopify with osiset package

Anshu-Shar
Shopify Partner
10 0 3
‎08-09-2022 10:45 AM

Hello Team,
my app has been rejected due to App must set security headers to protect against clickjacking.
I created the app in laravel using osiset package. and implemented the code for clickjacking by creating the middleware in the app/Http/Middleware/ContentSecurityPolicy.php folder.

4,552 Views
1 Like
Report
Replies 5 (5)

Not applicable
‎08-10-2022 01:26 AM

@Anshu-Shar   I can see the osiset package was not up to date.

i can't find the same file on the git repo  https://github.com/osiset/laravel-shopify/tree/master/src/Http/Middleware i think this file created by you. you can change the header 

here is some reference  that will help you fixed the your issue

https://laracasts.com/discuss/channels/laravel/iframe-and-x-frame-options

 

https://www.getastra.com/blog/php-security/prevent-clickjacking-in-php/

code example ```

.setHeader(
"Content-Security-Policy",
`frame-ancestors https://${shop} https://admin.shopify.com;`

 

```

4,526 Views
0 Likes
Report
In response to Anonymous

Anshu-Shar
Shopify Partner
10 0 3
‎08-10-2022 03:19 AM

@Anonymous 

Yes, I have created my own middleware with frame-ancestors code like the below:-
protected const HEADER_FORMAT='frame-ancestors %s %s';
protected const ADMIN_SHOPIFY_URL='https://admin.shopify.com';
public function handle(Request $request, Closure $next)
{
$response= $next($request);
if ($response instanceof HttpResponse && !$request->ajax()) {
if ($request->has('shop')) {
$shopDomain=ShopDomain::fromNative($request->get('shop'));
} elseif ($request->user() instanceof User) {
$shopDomain=$request->user()->getDomain();
} else {
$shopDomain=ShopDomain::fromNative($request->getContent());
}

if ($shopDomain instanceof ShopDomain) {
$response->headers->set('Content-Security-Policy', sprintf(self::HEADER_FORMAT, 'https://'.$shopDomain->toNative(), self::ADMIN_SHOPIFY_URL));
}
}
return $response;
}

and register it in the app/Http/kernel.php protected $middleware = [
\App\Http\Middleware\ContentSecurityPolicy::class
]

Thanks for giving me the valuable suggestion. but can you check implemented code above that it has any issues?

4,519 Views
1 Like
Report
In response to Anshu-Shar

Not applicable
‎08-10-2022 05:15 AM

@Anshu-Shar  I think you still header format is missing the format you can refer this guide

https://community.shopify.com/c/technical-q-a/how-to-fix-quot-app-must-set-security-headers-to-prote...

here one shopify accepted answer write in node js you have to do similer in php laravel 

https://www.shopside.com.au/post/solving-shopifys-content-security-policies-requirement  

Read this https://shopify.dev/apps/store/security/iframe-protection  here full detail explain by the shopify  

4,514 Views
0 Likes
Report
In response to Anonymous

Anshu-Shar
Shopify Partner
10 0 3
‎08-10-2022 06:28 AM

 

@Anonymous 

I have set the header in the middleware code you can see the screenshots and let me know if something missing on that.

 

Screenshot from 2022-08-10 15-50-46.png

4,505 Views
1 Like
Report
In response to Anshu-Shar

Not applicable
‎08-10-2022 07:12 AM

@Anshu-Shar   yes it's was correct.

4,498 Views
0 Likes
Report

Community Blog Articles

JasonH_0-1743081651612.jpeg
Members of March '25

Hey Community 👋 Did you know that March 15th is National Everything You Think Is W...

By JasonH Apr 1, 2025
427225466-7b141305-de27-48eb-8d38-643ba2ed8c3f.jpg
The power of automation: New Shopify Flow fundamentals learning path

Discover how to increase the efficiency of commerce operations with Shopify Academy's l...

By Jacqui Mar 26, 2025
shopp-e-1741972742895593780274096851.png
Canadian merchants: Update account details by March 24, 2025 to continue us...

Shopify and our financial partners regularly review and update verification requiremen...

By Jacqui Mar 14, 2025
Terms of Service Privacy Policy