Security headers requirement against clickjacking

Shopify Partner
3 1 0

Good day,


Our application submission does not go through the requirements that must be met before initial screening. The only comment we receive is for the security headers set to protect against clickjacking.


What we do not understand is that as per the documentation Setting up Iframe protection, we need to check the Content-Security-Policy and the Request URL from the response headers and we believe we are complying with the requirements.

We put for reference screenshots of the response headers which we got by reproducing the steps of the test procedure described in the documentation. We believe everything is correct but it still does not pass the screening.
Could you provide us some guidance on how to solve this issue? It has been a month since we try to work around this issue and it is frustrating not having more detailed explanation in the test procedure or in the rejection message.
Any help would be gladly appreciated. Thank you in advance,

CSP with frame-ancestorsCSP with frame-ancestorsRequest URLRequest URL

Replies 2 (2)

Shopify Partner
9 4 3

You need to setting up iframe Protection in every page of your app.

If helpful then please Like and Accept Solution.
Want to develop Public/Custom Shopify Apps - Hire me.
- Feel free to contact me on regarding any help
Shopify Partner
Shopify Partner
1 0 0

Hi, thank you for your answer,


We made sure that the Iframe Protection is set up on every page of our app, as long as the 'shop' params is provided.