Hello everyone!
We’re trying to submit our sales channel app which is embedded on the Shopify admin dashboard and we keep failing automatic checks due to the following error
- App must set security headers to protect against clickjacking.
Your app must set the proper frame-ancestors content security policy directive to avoid clickjacking attacks. The ‘content-security-policy’ header should set frame-ancestors https://[shop].myshopify.com https://admin.shopify.com, where [shop] is the shop domain the app is embedded on.
A bit about our architecture:
Our frontend is powered by an SPA (react), served by AWS Cloud-front and hosted on S3. It talks to a separate backend via a rest API.
At which point do we add these headers? We’ve tried adding them on the backend api responses but we still fail automatic checks.
If anyone has been through a similar situation and resolved this issue your help would be greatly appreciated!
Thanks.