Documentation

Security Headers

The Merchant Center applies the following security headers. Some headers are added automatically, while others can be configured for additional customization.

Strict-Transport-Security

The Strict-Transport-Security header ensures that the application is accessed over HTTPS and that any attempts to access it using HTTP are automatically converted to HTTPS.

By default, the header is set to a maximum age of 1 year and includes subdomains and preloading.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

You can extend the default configuration for a customization by providing additional directives. For more details, refer to the customization config documentation of Custom Applications or Custom Views.

The following example demonstrates how to extend the Strict-Transport-Security header.

const config = {
  headers: {
    strictTransportSecurity: ['includeSubDomains', 'preload'],
  },
  // ...
};

X-XSS-Protection

The X-XSS-Protection header is added by default to enable the Cross-Site Scripting (XSS) filter in the browser, preventing the execution of malicious scripts.

X-XSS-Protection: 1; mode=block

X-Content-Type-Options

The X-Content-Type-Options HTTP response header is added by default to ensure that the MIME types specified in the Content-Type headers are strictly followed and not altered. This header prevents MIME type sniffing by confirming that the MIME types are intentionally set.

X-Content-Type-Options: nosniff

X-Frame-Options

The X-Frame-Options header is added by default to prevent the page from being rendered in a <frame>, <iframe>, <embed>, or <object> from a different domain, protecting against clickjacking attacks.

X-Frame-Options: SAMEORIGIN

Referrer-Policy

The Referrer-Policy header is added by default to control how much referrer information is included with requests.

Referrer-Policy: same-origin

Content-Security-Policy (CSP)

The Content Security Policy header allows you to define which resources the browser is permitted to load for a specific page. This helps to mitigate the risk of cross-site scripting (XSS) attacks.

The default CSP comes with some default directives, including the application's URL domains, and others.

You can extend the default CSP directives using an optional configuration object. Please refer to the customization config documentation of Custom Applications or Custom Views for more details.

Permissions Policy

The Permissions-Policy header allows control over which browser features can be used in the website and within any <iframe> elements it contains.

By default, no specific permissions are enforced unless explicitly configured in your application's customization configuration. For details on configuring the Permissions Policy to suit your application's needs, refer to the customization config documentation of Custom Applications or Custom Views.

Cross-Origin Resource Sharing (CORS)

Cross-Origin Resource Sharing (CORS) is a security feature implemented by browsers to allow or restrict web pages from making requests to a different domain than the one that served the web page. This is essential for preventing unauthorized access and data theft across domains.

The Merchant Center API has a set of CORS rules configured to allow only requests from trusted commercetools domains as well as requests with allowed HTTP headers.