I tried to submit the app on shopify for approval. But everytime they give me below message
Your primary app listing has 2 issues to fix before you can submit your app for review
App must set security headers to protect against clickjacking.
App must verify the authenticity of the request from Shopify.
Here is my code for verifing hmac and its working correctly.
$calculated_hmac = hash_hmac('sha256', $data, Auth::$client_secret);
$result = hash_equals($hmac, $calculated_hmac);
Here is header I hook on wordpress
add_action('send_headers', [$this, 'send_headers']);
public function send_headers() {
header("Content-Security-Policy: frame-ancestors 'none';");
header('X-Frame-Options: SAMEORIGIN');
}
But after submitting I am still getting same message.
2
Answers
You are doing the CSP wrong. If you check the most recent documentation it is such that the iframe has to exist inside the myshopify.com store domain. Also, has nothing to do with WordPress. But anyway, ensure your CSP headers you render for frame ancestors are:
With that, your clickjacking problem goes away. For the HMAC, you’ll have to try and figure out where you’re missing verification. I think they trick you, and you fail to send a 401, telling them you are doing the HMAC right.
Reading your article was fantastic experience. You have mentioned the good way one can resolve the security concern of Shopify. Here I have some more steps that can also help you in resolving security concern of shopify. Check out below:
These was another way reader can also resolve it. I had developed my shopify store through Alakmalak Technologies and they have made my work easy by developing me the most shopify store. You can also develop new shopify store with all the secuirty parameters at Alakmalak Technologies.