Fluent Commerce Logo
Docs
Help & Feedback

fc.mystique.security.headers

Setting

Changed on:

10 Mar 2026

Setting AreaSystem
Supported context levels:ACCOUNT

Overview

Security is a shared responsibility. While these platform settings provide powerful controls, the user must ensure their environment configuration is secure. Specifically:
  • The Content-Security-Policy header is crucial for preventing Cross-Site Scripting (XSS) attacks.
  • The X-Frame-Options header is vital to address Clickjacking risks. Refer Clickjacking Defense Cheat Sheet for more guidance.
The security headers setting allows you to enhance your application's security by defining policies that the browser must enforce, helping to mitigate attacks like Cross-Site Scripting (XSS) and clickjacking.

Values

Data TypeValues
JSONThe `lobValue` must be a valid JSON object where keys are supported HTTP header names and values are the corresponding header values. Only the headers listed below are supported. Any other header will be ignored.Supported Headers
  • `Content-Security-Policy`
  • `X-Content-Type-Options`
  • `X-Frame-Options`
  • `Referrer-Policy`
  • `Permissions-Policy`
  • `Cross-Origin-Opener-Policy`
1{
2    "Content-Security-Policy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:; connect-src 'self' *.fluentretail.com",
3    "X-Content-Type-Options": "nosniff",
4    "X-Frame-Options": "SAMEORIGIN",
5    "Permissions-Policy": "microphone=()",
6    "Referrer-Policy": "strict-origin-when-cross-origin",
7    "Cross-Origin-Opener-Policy": "same-origin"
8}

Language: json

Name: Security Headers Example

Description:

Sample JSON configuration that can be used as a starting point when defining account-level security headers.

Detailed technical description


Content-Security-Policy

  • Purpose: The most complex and powerful header. It provides fine-grained control over which resources (scripts, styles, images, etc.) are allowed to be loaded, helping to prevent Cross-Site Scripting (XSS) attacks.
  • Guidance: This policy is highly specific to your application. The example below is a baseline starting point. You will likely need to add domains for third-party scripts, analytics, or API endpoints. Use the browser developer console to identify CSP violations and update the policy accordingly. Only add domains that your application explicitly requires.
  • Minimum Value (use this as a base and add any additional domains as required):
    `"Content-Security-Policy": "default-src 'self'; script-src 'self' ACCOUNT_FRONTEND_DOMAIN data: 'unsafe-inline' blob:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:; connect-src 'self' ACCOUNT_API_DOMAIN;"`
  • Placeholders: Replace the following placeholders before submitting:
    • `ACCOUNT_FRONTEND_DOMAIN` — for example, `myaccount.apps.fluentcommerce.com` 
    • `ACCOUNT_API_DOMAIN` — for example, `myaccount.<environment>.api.fluentretail.com` 
  • Environment-specific configuration: The `connect-src` directive is specific to the environment. API domain patterns may differ between the sandbox and production environments. Because of this, there is no single universal `connect-src` value - configure it according to your environment. Avoid generic wildcards (for example, `*.fluentretail.com`) and test domains in production unless explicitly required.

X-Content-Type-Options

  • Purpose: Prevents the browser from trying to guess the content type of a resource (MIME-sniffing), which can be exploited.
  • Guidance: This header should always be enabled to ensure security.
  • Sample Value: `"X-Content-Type-Options": "nosniff"`

X-Frame-Options

  • Purpose: Protects against "clickjacking" attacks by controlling whether your application can be embedded in an `<iframe>` on other websites.
  • Guidance: Use `DENY` to prevent all framing, or `SAMEORIGIN` to allow it only from pages on your own domain.
  • Sample Value: `"X-Frame-Options": "SAMEORIGIN"`

Referrer-Policy

  • Purpose: Controls how much referrer information (the page the user came from) is included with requests.
  • Guidance: `strict-origin-when-cross-origin` provides an effective balance between utility and privacy by sending the full URL for same-origin requests and only the base origin for others.
  • Sample Value: `"Referrer-Policy": "strict-origin-when-cross-origin"`

Permissions-Policy

  • Purpose: Allows you to selectively enable or disable browser features and APIs, such as access to the camera, microphone, or geolocation.
  • Guidance: Disable any features your application does not use to enhance security.
  • Sample Value (disables geolocation and microphone access for all frames): `"Permissions-Policy": "geolocation=(), microphone=()"`

Cross-Origin-Opener-Policy

  • Purpose: Provides an extra layer of security to prevent documents from interacting with each other across different origins, mitigating attacks like Spectre.
  • Guidance: `same-origin` is a secure default that prevents unauthorized cross-origin interactions.
  • Sample Value: `"Cross-Origin-Opener-Policy": "same-origin"`

Configuration example

1mutation CreateSetting {
2  createSetting(input: {
3    name: "fc.mystique.security.headers",
4    valueType: "JSON",
5    lobValue: "{ \
6\"Content-Security-Policy": "default-src 'self'; script-src 'self' ACCOUNT_FRONTEND_DOMAIN data: 'unsafe-inline' blob:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:; connect-src 'self' ACCOUNT_API_DOMAIN;", \
7\"X-Content-Type-Options\": \"nosniff\", \
8\"X-Frame-Options\": \"SAMEORIGIN\", \
9\"Referrer-Policy\": \"strict-origin-when-cross-origin\", \
10\"Cross-Origin-Opener-Policy\": \"same-origin\" \
11}",
12    context: "ACCOUNT",
13    contextId: 0
14  }) {
15    id
16    name
17  }
18}

Language: graphqlschema

Update example

1mutation UpdateSetting {
2  updateSetting(input: {
3    id: 1,
4    name: "fc.mystique.security.headers",
5    valueType: "JSON",
6    lobValue: "{ \
7\"Content-Security-Policy": "default-src 'self'; script-src 'self' ACCOUNT_FRONTEND_DOMAIN data: 'unsafe-inline' blob:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:; connect-src 'self' ACCOUNT_API_DOMAIN;", \
8\"X-Content-Type-Options\": \"nosniff\", \
9\"X-Frame-Options\": \"SAMEORIGIN\", \
10\"Referrer-Policy\": \"strict-origin-when-cross-origin\", \
11\"Cross-Origin-Opener-Policy\": \"same-origin\" \
12}",
13    context: "ACCOUNT",
14    contextId: 0
15  }) {
16    id
17    name
18  }
19}

Language: graphqlschema

Building Blocks
Building Blocks
Packages & Modules
All UI Components
Workflows
Settings
Interface Contracts
All Rules
By Type
All Types
Knowledge Tracks
Extend Knowledge
Glossary
All How-to Guides
Sitemap
Topics
Use Cases
Helpful Resources
Platform Limits
Support Policy
Service Level Agreement (SLA) - Enterprise
Deprecation Policy
Extend Knowledge Content – Terms and Conditions
System and Organization Controls (SOC) 3 Report
Data Privacy Addendum
Security Policy
Quick Links
For Partners
Customer Resources
Webinars and Events
Certifications
Training Resources
Knowledge Tracks
Builders Portal
Product Update Newsletter
Industry Blogs & Events Newsletter
Trust Center Portal

Copyright © 2024-2026 Fluent Retail Pty Ltd (trading as Fluent Commerce). Unless otherwise expressly stated in a current written agreement with Fluent Commerce or any of its affiliates or on any single page of the docs.fluentcommerce.com site, use of the materials on this site is strictly limited to viewing by individuals over 18 years old for legitimate commercially appropriate reasons; and any downloading, copying or other actions or uses of any kind or by any means of the materials on this site, including by artificial intelligence tools, is strictly prohibited. All other rights reserved.

Fluent Logo