Whenever submitting to Shopify I get rejected with these two issues being the reason, this is an external app by the way:
-
App must set security headers to protect against clickjacking.
Your app does not request installation on the shop immediately after clicking “add app”. Apps must ask a shop for access when being installed on a shop for the first time, as well as when they were being reinstalled after having been removed. During install or reinstall we expected OAuth to be initiated at https://cambridgetestshop.myshopify.com/admin/oauth/authorize but were redirected to https://{my_domain}/app/shopify/auth?shop=cambridgetestshop.myshopify.com. -
App must verify the authenticity of the request from Shopify.
Your app does not request installation on the shop immediately after clicking “add app”. Apps must ask a shop for access when being installed on a shop for the first time, as well as when they were being reinstalled after having been removed. During install or reinstall we expected OAuth to be initiated at https://cambridgetestshop.myshopify.com/admin/oauth/authorize but were redirected to https://{my_domain.com/app/shopify/auth?shop=cambridgetestshop.myshopify.com.
The issue is I never redirect to https://{my_domain.com/app/shopify/auth?shop=cambridgetestshop.myshopify.com . My flow is click app install → https://{my_domain.com}/app/shopify → using the API library, beginAuth, redirect to https://{store_name}.myshopify.com/admin/oauth/authorize . There isn’t a point where I hit the/app/shopify/auth endpoint in my application. I also set the Content-Security policy to frame-ancestors none.