Shopify's Security Headers: What Store Owners Need to Know About HSTS, Referrer & Permissions Policies

View original discussion by pochodura on Shopify Community →

Hey everyone! I've been spending a lot of time in the Shopify community forums lately, and a recent discussion caught my eye that I think many of you store owners will find super relevant, especially if you're diving into security audits or trying to optimize your site for the new wave of AI crawlers.

The thread, initially titled something quite technical like "Extending HSTS max-age and adding Referrer/Permissions-Policy headers," really boiled down to a crucial question: What control do we, as Shopify store owners, actually have over certain critical security response headers? And what does it mean for our SEO and security posture?

Unpacking the Core Issue: Shopify's Edge Control

One of our community members, Johnp247 (whose original post was hidden, but the follow-up from pochodura clarified the details), brought up some flags from an SEO and security audit. They noticed three specific response header items that seemed to be controlled by the Shopify platform itself, rather than something you could tweak in your theme settings:

  • Strict-Transport-Security (HSTS): The max-age was set to 7889238 seconds (roughly 91 days), while many audit tools recommend a full year (31536000 seconds) for HSTS preload lists.
  • Referrer-Policy header: It was completely missing.
  • Permissions-Policy header: Also completely missing.

The big question was: can we change these? And the short answer, as our resident expert lumine pointed out, is that Shopify manages these headers "at the edge." This means they're handled at the server level before your store's content even gets to the browser, and generally, there's no theme-level way to change them. Even Shopify Plus stores usually can't get custom values for these, though it never hurts to ask support!

HSTS: The Strict-Transport-Security Header

Let's talk about HSTS first. This header is vital for security because it forces browsers to only connect to your site using HTTPS (the secure version of HTTP). It helps prevent man-in-the-middle attacks and ensures your visitors are always on a secure connection.

The audit flagged Shopify's default max-age of 91 days as less than the recommended one year. While it's true that a longer max-age is often preferred for HSTS preload lists, the reality for Shopify store owners is that this value is platform-controlled. As lumine and pochodura confirmed, there's currently no supported way to extend the HSTS max-age on your Shopify store. Shopify sets this at the platform level, and it's something we simply can't modify directly.

Don't panic, though! Shopify's default HSTS policy still provides a strong security baseline by ensuring HTTPS is used. While a longer max-age might look better on some audit reports, your store is still secure.

Referrer-Policy: Managing Information Flow

Next up is the Referrer-Policy header. This one controls how much referrer information (i.e., where a user came from) is sent along with requests. It's a privacy and security feature that helps prevent sensitive URLs from being leaked to third-party sites when users click links.

If your audit tool flagged a missing Referrer-Policy header, there's actually a partial workaround you can implement! While Shopify doesn't send this as a response header, you can add a meta tag directly into your theme's HTML. This meta tag often carries most of the same behavior that a server-side header would.

How to Add a Referrer-Policy Meta Tag:

Here's how you can add it to your store:

  1. From your Shopify admin, go to Online Store > Themes.
  2. Find your current theme and click Actions > Edit code.
  3. In the 'Layout' directory, click on theme.liquid.
  4. Locate the section (usually near the top).
  5. Paste the following line of code just before the closing tag:
  6. Click Save.

The strict-origin-when-cross-origin value is a good balance, sending the full URL only for same-origin requests and just the origin (e.g., https://yourstore.com) for cross-origin requests. This helps maintain privacy without completely breaking analytics that rely on referrer data.

Permissions-Policy: Granular Browser Control

Finally, we have the Permissions-Policy header (formerly Feature-Policy). This is a more modern header designed to allow you to selectively enable or disable browser features and APIs (like camera, microphone, geolocation) for your site and any embedded content (iframes). This is a powerful security feature to prevent malicious scripts from accessing sensitive user features.

Similar to Referrer-Policy, audit tools might flag its absence. While there's a meta tag form () floating around, lumine wisely cautioned against relying on it as a "real fix." Browser support for this meta tag is still spotty, largely limited to Chromium-based browsers, and only for partial directives. So, while you could technically add it, it wouldn't provide a consistent or reliable security posture across all your visitors' browsers.

The AI Crawler Connection: A Crucial Clarification

One of the initial motivations for pochodura's questions was "optimizing the site for AI crawlers." This is a fantastic goal, but here's a crucial insight from lumine: Permissions-Policy and Referrer-Policy don't actually gate AI crawlers like GPTBot, PerplexityBot, or ClaudeBot.

What truly influences AI crawler eligibility and behavior are things like:

  • robots.txt: Your good old robots.txt file at your site's root, with its allow and disallow lines.
  • llms.txt: A newer, specific file at your root designed explicitly for Large Language Model (LLM) crawlers.
  • JSON-LD: Structured data markup on your key pages, which helps crawlers understand your content better.

So, while these headers are great for browser-side security, don't get too hung up on them for your AI crawler strategy. Focus your efforts on robots.txt, llms.txt, and robust JSON-LD implementation.

Ultimately, this community discussion highlights that while Shopify provides an incredibly robust and secure platform, there are certain areas where platform-level control means less direct customization for store owners. For headers like HSTS max-age, we rely on Shopify's default (which is still very secure!). For others like Referrer-Policy, a meta tag can offer a good partial workaround. And for things like Permissions-Policy, the technology isn't quite there yet for a reliable meta tag solution. Always remember to prioritize what truly impacts your store's security and SEO goals, and don't let audit tool flags distract you from the bigger picture!

Share:

Use cases

Explore use cases

Agencies, store owners, enterprise — find the migration path that fits.

Explore use cases