FROM CACHE - en_header
Promotion image

Re: How to fix - "App must set security headers to protect against clickjacking app" rejec

Solved

How to fix - "App must set security headers to protect against clickjacking app" rejection issue

prank7
Shopify Partner
4 1 4
‎02-07-2022 01:23 PM

I am trying to submit an app using Express.js on the backend.
I am setting the headers like this in a middleware at app level before any of the routes like this- 

 

 

app.use((req, res, next) => {
  var shopURL = req.query.shop;
  res.setHeader("Content-Security-Policy", `frame-ancestors ${shopURL} admin.shopify.com;`)
  next();
})

 

 

 
I have also tried other combinations like - 

 

 

res.setHeader("Content-Security-Policy", `frame-ancestors https://${shopURL} https://admin.shopify.com;`)

 

 

I can see the headers being set exactly like that in response headers in the browser.

But when I submit the app for review, it's rejecting saying -


App must set security headers to protect against clickjacking.

Your app must set the proper frame-ancestors content security policy directive to avoid clickjacking attacks. The 'content-security-policy' header should set frame-ancestors https://[shop].myshopify.com https://admin.shopify.com, where [shop] is the shop domain the app is embedded on.

 

This is extremely frustrating. There is no tooling from Shopify end to really test these issues out. The documentation is not sufficient and doesn't say anything other than this.

Would love to get some help on this. thanks

banned
6,510 Views
2 Likes
Report
Accepted Solution (1)

prank7
Shopify Partner
4 1 4
‎02-23-2022 12:02 AM

This is an accepted solution.

I was able to resolve it. My app.js looks like this - 

var app = express();
app.use(cookieParser());
app.use(function (req, res, next) {
  var shopurl;
  var fa;

  if (req.query.shop !== "") {
    shopurl = req.query.shop;
    fa = `frame-ancestors https://${shopurl} https://admin.shopify.com`;
    res.setHeader(
      "Content-Security-Policy",
      fa
    );
  }
  next();
});


I was using `Helmet` package before for various security reasons but then I removed it and it started to work. 

banned

View solution in original post

6,352 Views
1 Like
Report
Replies 8 (8)

SullivanStudios
Shopify Partner
4 0 0
‎02-22-2022 04:48 PM

Did you end up getting any help with this? 

We have the exact same issue. 

6,409 Views
0 Likes
Report
In response to SullivanStudios

prank7
Shopify Partner
4 1 4
‎02-23-2022 12:02 AM

Yes, please check the accepted answer.

banned
6,349 Views
0 Likes
Report
In response to prank7

isfakmustakim
Visitor
1 0 0
‎08-14-2024 05:45 AM

isfakmustakim_0-1723628698612.png

 

Can you tell me how to fix Missing Secure Referrer-Policy Header ?

1,434 Views
0 Likes
Report

prank7
Shopify Partner
4 1 4
‎02-23-2022 12:02 AM

This is an accepted solution.

I was able to resolve it. My app.js looks like this - 

var app = express();
app.use(cookieParser());
app.use(function (req, res, next) {
  var shopurl;
  var fa;

  if (req.query.shop !== "") {
    shopurl = req.query.shop;
    fa = `frame-ancestors https://${shopurl} https://admin.shopify.com`;
    res.setHeader(
      "Content-Security-Policy",
      fa
    );
  }
  next();
});


I was using `Helmet` package before for various security reasons but then I removed it and it started to work. 

banned
6,353 Views
1 Like
Report
In response to prank7

1080
Shopify Partner
301 9 66
‎02-22-2023 01:59 AM

@prank7  can you please help on the same CSP Error.
My app in express js 

app.use((req, res, next) => {
    const shop = req.query.shop;
    if (Shopify.Context.IS_EMBEDDED_APP && shop) {
      res.setHeader(
        "Content-Security-Policy",
        `frame-ancestors https://${shop} https://admin.shopify.com;`
      );
    } else {
      res.setHeader("Content-Security-Policy", `frame-ancestors 'none';`);
    }
    next();
  });

 

 

But still app get rejected what was the Correct CSP to set into header !

3,998 Views
0 Likes
Report
In response to prank7

Girish_Rajwani
Shopify Partner
87 3 9
‎05-29-2023 05:06 AM

Hey, we have to set frame ancestors header for every request and response?

Please confirm.

 

Thanks in advance 😊

Girish | Shopify Expert  
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - My Shopify Apps: App Store | Looking for a solution to a problem in your store? Send me an email

3,245 Views
0 Likes
Report

ameernormie
Shopify Partner
4 0 1
‎03-16-2022 02:13 AM

If you are using next app to build the shopify app then in the home page i.e. index.tsx, index.jsx

Add the following code

export async function getServerSideProps(context: any) {
  if (context?.query?.shop)
    context.res.setHeader(
      "Content-Security-Policy",
      `frame-ancestors https://${context.query.shop} https://admin.shopify.com`,
    );
  return {
    props: {},
  };
}

 

This successfully submitted my app.

6,215 Views
1 Like
Report

syedusama0786
Shopify Partner
47 2 13
‎04-03-2023 03:48 AM

@prank7 Hey ! I was facing the same issue and got the answer here thanks you all for it. can you please clear one thing up, how can I test that CSP is set in my header?

3,643 Views
0 Likes
Report

Community Blog Articles

VS-skills-2025-opt3.png
How to drive more onsite engagement with promotions, loyalty, and recommend...

Discover how to increase customer engagement on your store with articles from Shopify A...

By Jacqui Apr 23, 2025
JasonH_0-1743081651612.jpeg
Members of March '25

Hey Community 👋 Did you know that March 15th is National Everything You Think Is W...

By JasonH Apr 1, 2025
427225466-7b141305-de27-48eb-8d38-643ba2ed8c3f.jpg
The power of automation: New Shopify Flow fundamentals learning path

Discover how to increase the efficiency of commerce operations with Shopify Academy's l...

By Jacqui Mar 26, 2025
Terms of Service Privacy Policy