Refused to display 'url' in a frame because it set 'X-Frame-Options' to 'deny'

Retired Boards Appdev Tools

Topic summary

Embedded Shopify app fails to render in an iframe on a Linux server due to the HTTP header X-Frame-Options: DENY. This header tells browsers to block framing; embedded apps must not send DENY.

Key guidance: Using koa-shopify-auth already handles OAuth/redirects; the issue is server headers. Ensure your web server does not set X-Frame-Options: DENY.

Resolution (for one setup):

  • Remove/override X-Frame-Options in Nginx (add_header X-Frame-Options “”).
  • Check included configs (e.g., cipherli.st ssl-params.conf) that may re-add DENY and remove it there.
  • Reload Nginx and verify via: wget -q --server-response https://your.url.com. Note: adding lusca xframe in Koa wasn’t needed in the final fix.

Ongoing issues: Some still see the error after adding add_header and proxy_hide_header, or after service restarts. One suggestion: use Cloudflare Workers to rewrite headers on the fly.

Open question: A redirect to Shopify domains (e.g., admin.shopify.com) returns X-Frame-Options: DENY from Shopify; users asked if it can be overridden. No confirmed solution in thread.

Status: Original poster’s issue resolved by removing server-set DENY. Broader cases involving upstream Shopify headers remain unresolved.

Summarized with AI on December 21. AI used: gpt-5.
6

Still happening. I’ve added the lusca snippet, plus edited my nginx configuration on my server: at “/etc/nginx/sites-available/default”

added:

add_header X-Frame-Options “”;

and

proxy_hide_header X-Frame-Options;

on all my running processes. Has anyone figured out how to get rid of this error once and for all?