Re: Security headers requirement against clickjacking

phanremy · ‎04-20-2022

Good day,

Our application submission does not go through the requirements that must be met before initial screening. The only comment we receive is for the security headers set to protect against clickjacking.

What we do not understand is that as per the documentation Setting up Iframe protection, we need to check the Content-Security-Policy and the Request URL from the response headers and we believe we are complying with the requirements.

We put for reference screenshots of the response headers which we got by reproducing the steps of the test procedure described in the documentation. We believe everything is correct but it still does not pass the screening.

Could you provide us some guidance on how to solve this issue? It has been a month since we try to work around this issue and it is frustrating not having more detailed explanation in the test procedure or in the rejection message.

Any help would be gladly appreciated. Thank you in advance,

CSP with frame-ancestorsRequest URL

banned

DivinityWebS · ‎04-28-2022

You need to setting up iframe Protection in every page of your app.

banned

phan_remy · ‎04-29-2022

Hi, thank you for your answer,

We made sure that the Iframe Protection is set up on every page of our app, as long as the 'shop' params is provided.

banned

Re: Security headers requirement against clickjacking

Security headers requirement against clickjacking

Community Blog Articles