Security headers to protect against clickjacking

Shopify Apps

Topic summary

Shopify App Store submission for an alternative payment gateway was rejected due to missing security headers to prevent clickjacking. The rejection specifically requires setting the Content-Security-Policy (CSP) header with the frame-ancestors directive to allow embedding only from the merchant’s shop domain (https://[shop].myshopify.com) and from https://admin.shopify.com, per Shopify’s iframe protection requirements. The main unresolved question is when these headers must be applied in the app flow: whether they must be present during app installation/initial load, or only set later during the redirect/alternative payment gateway flow. No solution or clarification is provided yet; a follow-up post requests a response.

Summarized with AI on February 26. AI used: gpt-5.2.
1

Hi there,

Recently I attempted to submit an alternative payment gateway to the shopify store and was almost immediately rejected with the following:

App must set security headers to protect against click jacking.
Your app must set the proper frame-ancestors content security policy directive to avoid click jacking attacks. The ‘content-security-policy’ header should set frame-ancestors https: //[shop].myshopify.com https://admin.shopify.com, where [shop] is the shop domain the app is embedded on.

And I’m wondering - do these headers have to be present on the installation of the app?

Or are we expected to set them upon redirect to the app for the alternative payment gateway flow. Just wondering where in the order of operations these need to exist.

1 Like
2

Still waiting for a response. Any Help please