FROM CACHE - en_header

Customize csp. content-security-policy: frame-ancestors 'none'

Shopify Partner
1 0 0


I see that some Shopify stores return a different configuration in the HTTP csp header.

In my test store, it is:

content-security-policy: block-all-mixed-content; frame-ancestors 'none'; ...
but in other stores, like - it is:
content-security-policy: block-all-mixed-content; frame-ancestors *; ...

I would like to change the csp of my store, so that it would be: frame-ancestors *;
or at least: frame-ancestors 'self'
Does anyone know how can I configure this header?


Replies 5 (5)
Shopify Staff
Shopify Staff
836 99 211

Hey @EyalS,

By default, Shopify prevents stores from being rendered in an iframe, which mitigates the possibility of clickjacking attacks. This includes setting the CSP header to none, and setting X-Frame-Options to DENY. To have this disabled, the account owner can contact our support team and ask them to disable clickjacking protection.

JB | Solutions Engineer @ Shopify 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit or the Shopify Web Design and Development Blog

52 1 8

@_JB it is only possible to turn on/off clickjacking protection? If setting up CSP header to SELF it is possible to clickjacking? because right now we have 

<amp-story-player> and it creates iframe. I can and other websites URL like but my own website URL with amp can't add...
Shopify Staff
Shopify Staff
7607 1216 1997

Might help

Gabe | Social Care @ Shopify
 - War meine Antwort hilfreich? Klicke Like um es mich wissen zu lassen! 
 - Wurde deine Frage beantwortet? Markiere es als Akzeptierte Lösung 
 - Um mehr zu erfahren, besuche das Shopify Help Center oder den Shopify Blog

44 0 6

Hello Can You Please Help me in resolving this issue ? I am stuck here. Help is appreciated.



Requirements that must be met before initial screening
  1. App must set security headers to protect against clickjacking.
    Your app must set the proper frame-ancestors content security policy directive to avoid clickjacking attacks. The 'content-security-policy' header should set frame-ancestors https://[shop], where [shop] is the shop domain the app is embedded on.
4 0 1

Hi. This is a CRITICAL issue for merchants that want to use apps that rely on iframes, and developers of such apps. I ran into this issue still today (the first topic on this I found was over four years old).


Could you allow merchants to change the X-Frame-Options response header value (or Content-Security-Policy, directive frame-ancestors, if that is used) via the Shopify Admin panel? At least to "SAMEORIGIN" ('self' in case of CSP), which would hardly be a security risk. This would be a BIG help to the mentioned merchants and developers... Thanks!