Unable to verify public app in shopify

Retired Boards Appdev Tools

Topic summary

A developer is encountering verification errors when attempting to publish a public Shopify app. The errors relate to:

Primary Issues:

  • Content Security Policy (CSP) headers not properly configured
  • OAuth flow validation problems
  • HMAC signature verification failures

The app displays error messages indicating it’s not correctly validating requests from Shopify or setting required security headers.

Recommended Solutions:

  • For embedded apps: Set CSP header to allow framing from the shop’s myshopify.com domain and admin.shopify.com
  • For non-embedded apps: Set CSP to “none”
  • Validate all incoming requests by inspecting the X-Shopify-Hmac-SHA256 HMAC headers to ensure requests originate from Shopify
  • Follow Shopify’s OAuth flow correctly during installation

Current Status:
The developer reports adding the CSP header, but the app remains unaccepted. They’re using Rails with shopify_app gem version 17 and Rails 6.0.3. The issue remains unresolved with no further troubleshooting steps provided.

Summarized with AI on November 24. AI used: claude-sonnet-4-5-20250929.
1

Hello guys, I am facing an issue with verifying the public app on Shopify. It shows the error as shown in the figure. We are using Shopify-app gem for installation.

Image Pasted at 2022-2-22 14-17.png
Image Pasted at 2022-2-22 14-17.png1062×335 77.5 KB

2 Likes
2

The errors are pretty self explanatory but someone seemed to have copy and pasted the description of the problem twice instead of proving you with the correct descriptions for the errors.

The first error is that you need to set the response header when serving your app.

If you have an embedded app you need to set the content security policy header to the shops myshopify.com address and admin.shopify.com

Content-Security-Policy: frame-ancestors https://shopify-dev.myshopify.com https://admin.shopify.com;

for a non-embedded app set it to “none”

The text of the 1st error however indicates a problem with the OAuth flow. When the app is installed it MUST immediately redirect to Shopify to get the scopes approved. See this link for an explanation or see the below image.

oauth-87049d6f3edf0b884c8c16f05813b02a4dc903e481993fc1cedb960b061018d2.png
oauth-87049d6f3edf0b884c8c16f05813b02a4dc903e481993fc1cedb960b061018d2.png3338×2925 87.1 KB

The 2nd error seems to indicate that you are not verifying that requests are coming from shopify. You need to validate any calls to your app by inspecting the X-Shopify-Hmac-SHA256 headers HMAC and ensuring that it’s valid.

Hope that helps.

Cheers,

Gary

3

Yes, we did add the content security policy but the app is still not accepted.

We are using rails 6.0.3 and shopify_app 17.

image (8).png
image (8).png1114×767 117 KB

1 Like