How to Add Security Headers on Shopify

Not possible

Shopify does not let merchants set custom security headers on the storefront. Here is the honest picture: what Shopify already sets for you, the one header you can still add, and the options if you need more.

This is the answer most guides get wrong. There is no theme, app, or Liquid setting that adds security headers to a standard Shopify storefront.

The short answer

On a standard Shopify storefront you cannot set custom HTTP security headers. Shopify controls the response headers, and there is no setting, theme edit, or Liquid snippet that changes them. Any guide telling you to paste headers into theme.liquid is describing meta tags, which is not the same thing and mostly does not work.

That sounds bad. It is not, and here is why: Shopify already sets several of the important ones for you.

What Shopify already gives you

At the time of writing, a Shopify storefront responds with these security headers by default, without you doing anything:

X-Content-Type-Options

Set to nosniff, which stops browsers guessing file types. This is the header most small sites are missing, and you get it for free.

X-Frame-Options

Set to DENY, which stops other sites putting your store in an iframe. This is strong anti-clickjacking protection.

Content-Security-Policy

A policy including frame-ancestors none is applied, reinforcing the anti-framing protection above.

Strict-Transport-Security

HSTS is enabled, so browsers stick to HTTPS on return visits. You do not need to add it.

The one header you can actually add

Shopify does not set a Referrer-Policy, and this is the one gap you can genuinely close yourself. Referrer-Policy is the rare security header that also works as an HTML meta tag, so you can add it in your theme.

In your Shopify admin go to Online Store > Themes > Edit code, open layout/theme.liquid, and add this inside the <head> section:

<meta name="referrer" content="strict-origin-when-cross-origin">

Note it is name="referrer", not http-equiv. This is the correct form and it is honoured by browsers.

Why you cannot do this for the others

It is worth understanding why, so you do not waste an afternoon. Meta tags are not a general substitute for HTTP headers:

  • X-Frame-Options as a meta tag does nothing at all. Browsers ignore it completely. Plenty of blog posts recommend it anyway. Shopify already sends the real header, so you are covered regardless.
  • HSTS is header-only by specification. There is no meta tag version. Shopify already sends it.
  • CSP partly works as a meta tag, but the most useful directives, including frame-ancestors, are ignored in meta form.
  • Referrer-Policy is the exception, which is why the snippet above is worth adding.

If you genuinely need full control

Two real options exist, and both are bigger decisions than a theme edit.

Hydrogen and Oxygen. Shopify's headless stack gives you real control over response headers. This is a full rebuild of your storefront, so it only makes sense if you were considering headless anyway.

Putting Cloudflare in front. Technically this can inject headers, but Shopify explicitly does not support it. In Shopify's own words, Cloudflare proxy setups "aren't supported by Shopify" and "could break at any time", with any resulting issues outside the scope of Shopify support. They cite interference with certificate renewal, reduced resiliency, and weaker bot detection. Shopify already uses Cloudflare as its own CDN, so you would be layering Cloudflare over Cloudflare. We would not recommend it for a store that takes payments.

What we would actually do

Add the Referrer-Policy meta tag, then stop worrying about it. Shopify covers the headers that matter most, and the remaining gaps are not worth breaking your store over.

Spend the effort where you still have full control instead: your SPF record and DMARC record are set in DNS, not in Shopify, so nothing is stopping you there. Those protect your customers from people sending fake emails in your name, which is a far more common attack on a store than clickjacking.

Check your work in seconds

Run your site through our free safety check to confirm the fix is live, and see what else a shopper would notice.

Run a free check

Frequently asked questions

Can I add security headers in theme.liquid on Shopify?

Only Referrer-Policy, using a meta tag. HTTP headers cannot be set from a theme, because Shopify controls the response. The good news is Shopify already sends X-Content-Type-Options, X-Frame-Options, a Content-Security-Policy and HSTS by default.

Does Shopify Plus give me control over security headers?

No. This claim circulates widely and it is not true. Shopify Plus does not add custom header control on a standard storefront. Hydrogen and Oxygen, the headless stack, do give real header control, but that means rebuilding your storefront.

Will a failed security headers check hurt my store?

Not as much as you might think on Shopify, because the platform already sets the most important ones. A scanner that only counts headers can make your store look worse than it is. What matters is what is actually protecting your shoppers, not the number of headers.

Can I use Cloudflare to add headers to my Shopify store?

Technically it can work, but Shopify says Cloudflare proxy setups are not supported and could break at any time, and any issues fall outside Shopify support. Given the risk to certificate renewal and checkout, we would not do it on a store that takes payments.

How do I check which headers my store sends?

Run your store through our free safety check. It reports the security headers your site actually sends right now, along with SSL, email authentication and other signals a shopper would notice.

Security headers on other platforms

Other fixes for Shopify

See the full fix-it matrix →

Prove your site is safe.

Once it is fixed, show it. Get a badge your shoppers can verify, backed by continuous checks. Free to start.

Get started free Run a free check