Skip to main content

Shopify integration

Shopify has strict website security that by default prevents usage of widget technologies like ours.

There are generally two ways to resolve it. Either through direct contact with Shopify customer support or through platforms like Cloudflare if your website utilizes it.

Shopify customer support

We generally do not recommend this because Shopify supposedly removes the security measures completely, rather than relaxing them a little.

More context can be found here.


Cloudflare has a feature called Transform Rules among which there is an ability to override response headers.

Documentation can be found here.

Feature can be used to override default Shopify HTTP response headers and replace them with less-strict alternatives.

Default Shopify response headers that are causing the issues with our widget is the following:

content-security-policy: block-all-mixed-content; frame-ancestors 'none'; upgrade-insecure-requests;

x-frame-options: DENY

A more relaxed configuration that is still sufficiently secure is the following:

content-security-policy: frame-ancestors 'self'

x-frame-origins: SAMEORIGIN

A more strict security policy that still allows Contester technology to work is the following:

content-security-policy: frame-ancestors https://*

x-frame-origins: SAMEORIGIN

Mind that your website may contain more advanced variants of the above configuration properties. You may need to adapt your existing properties rather than replacing them with the ones specified above.

In all cases the best course of action is to consult with your IT engineers on the best way to resolve this.

Other CDNs

Approach us with details about your CDN vendor and we can try solve this.