Hub/Security/Configure Security Headers
Task IntentSecurity

Configure Security Headers

Set up HTTP security headers for your Shopify store to protect against XSS attacks, clickjacking, MIME sniffing, and other common web vulnerabilities.

What This Sidekick Query Does

Set up HTTP security headers for your Shopify store to protect against XSS attacks, clickjacking, MIME sniffing, and other common web vulnerabilities.

Prompts

Copy, adapt, and run this directly in Shopify Sidekick.

Run on Shopify Sidekick
Help me configure HTTP security headers for my Shopify store:

Store Context:

  Store URL: [YOUR STORE URL]
  Using a CDN or proxy: [YES/NO, which one, e.g., Cloudflare]
  Custom apps or scripts loaded: [LIST, e.g., chat widget, analytics, review app]
  Do you embed content in iframes on other sites: [YES/NO]


Security Headers to Configure:

  Content-Security-Policy (CSP)
    
      Define allowed script sources (self, Shopify CDN, trusted third parties)
      Define allowed style sources
      Define allowed image sources
      Define allowed font sources
      Block inline scripts where possible (or use nonces)
      Report violations to a monitoring endpoint
    
  
  X-Frame-Options
    
      Prevent your store from being embedded in iframes (clickjacking protection)
      Set to DENY or SAMEORIGIN based on your needs
    
  
  X-Content-Type-Options
    
      Set to nosniff to prevent MIME type sniffing
    
  
  Referrer-Policy
    
      Choose appropriate policy: [PREFERENCE, e.g., strict-origin-when-cross-origin]
      Balance privacy with analytics data needs
    
  
  Permissions-Policy
    
      Restrict browser features: camera, microphone, geolocation, payment
      Only enable features your store actually uses
    
  
  Strict-Transport-Security (HSTS)
    
      Set max-age to at least [DURATION, e.g., 31536000 seconds (1 year)]
      Include subdomains if applicable
      Consider HSTS preload submission
    
  


Implementation Methods:

  Using Cloudflare or CDN-level header injection
  Using Shopify proxy app headers
  Using meta tags in theme.liquid where HTTP headers are not available
  Limitations of Shopify hosted stores regarding custom headers


Testing:

  Use securityheaders.com to scan current grade
  Test all store functionality after adding headers (no broken scripts or styles)
  Monitor CSP violation reports for false positives
  Target security grade: [GRADE, e.g., A or A+]


Deliverables:

  Complete header configuration with values
  Implementation instructions for your specific setup
  Before and after security scan results
  Ongoing monitoring plan for header effectiveness

Expected Output

Set up HTTP security headers for your Shopify store to protect against XSS attacks, clickjacking, MIME sniffing, and other common web vulnerabilities.

Tips to Improve Results

Copy the prompt above
Open Shopify Sidekick in your Shopify admin
Paste the prompt and replace the bracketed placeholders with your details
Review Sidekick's response and apply the suggestions