search

discolabs / django-shopify-auth

A package for adding Shopify authentication to a Django app.
MIT License
145 stars 54 forks source link

security headers to protect against clickjacking. #77

Closed MuzMoth closed 1 year ago

MuzMoth commented 2 years ago

App must set security headers to protect against click jacking. Your app must set the proper frame-ancestors content security policy directive to avoid click jacking attacks. The 'content-security-policy' header should set frame-ancestors https: //[shop].myshopify.com https://admin.shopify.com, where [shop] is the shop domain the app is embedded on.

Cant Resolve this issue please help link

stlk commented 2 years ago

Thanks for the message. We'll be definitely adding this feature. I think it should be released in January.

coler-j commented 1 year ago

Was this ever added?

stlk commented 1 year ago

No. I didn't add it to the package as it's not related to the auth itself. We're using this decorator.

def shopify_embedded_app_csp_header(view_func):
    """
    The header should be used only for embedded apps.
    Mark a view function as being extended by the Content-Security-Policy headers.
    Set the frame-ancestors directive dynamically based on the current shop domain and the Shopify admin domain.
    Read Shopify docs: https://shopify.dev/apps/store/security/iframe-protection
    """

    def wrapped_view(request, *args, **kwargs):
        shop_myshopify_domain = request.GET.get("shop")
        response = view_func(request, *args, **kwargs)
        if not shop_myshopify_domain:
            return response
        response.headers[
            "Content-Security-Policy"
        ] = f"frame-ancestors https://{shop_myshopify_domain} https://admin.shopify.com"
        return response

    return wrapped_view

@method_decorator(shopify_embedded_app_csp_header, name="dispatch")
class DashboardView(View):
   pass