Refused to display 'url' in a frame because it set 'X-Frame-Options' to 'deny'

linq-dev · December 17, 2019, 9:24pm

Thank you for your guidance. I focused on removing X-Frame-Options from multiple places like so to get it resolved.

server.js using koa I added the following -

const lusca = require('koa-lusca');

app.prepare().then(() => {
  const server = new Koa();
  server.use(lusca.xframe({value: ''}));

Then in the nginx.conf apply the following -
add_header X-Frame-Options “”;

As well as here if you are using snippets from https://cipherli.st/
./snippets/ssl-params.conf
remove

add_header X-Frame-Options DENY;

reload nginx and start application and then it will be resolved.

My main issue is that I forgot about the cipherlist configuration I extend from the nginx.conf was overwriting the headers with DENY.

Also to verify you removed the header correctly, use this command to check while application and nginx is up.

wget -q --server-response https://${your.url}.com

Topic		Replies	Views
How to oauth and the Refused to display 'https://foobar.myshopify.com/' in a frame becaus Technical Q&A	1	19	May 9, 2022
Error following app tutorial: refused to display shopify.dev due X-frame-options Technical Q&A	0	45	August 3, 2021
Refused to display 'https://ll-testing-shop.myshopify.com/admin/apps' in a frame because it set Shopify Apps	0	29	February 2, 2021
Refused to display 'https://xxxxx.myshopify.com/' in a frame because it set 'X-Frame-Options' Shopify Apps third-party-apps , shopify-apps	3	247	June 8, 2024
Facing issue "Refused to display frame because it set 'X-Frame-Options' to 'deny'" Shopify Apps shopify-apps	1	321	March 5, 2025