Ensure your app is only frameable by the authenticated shop domain

It is a requirement that apps set the proper Content Security Policy frame-ancestors directive to avoid clickjacking attacks. If the Content Security Policy frame-ancestors directive is missing or set incorrectly when you submit your app to the Shopify App Store, then your app will be rejected. You'll be required to address this before re-submitting your app for review.

If your app is an embedded app, set the frame-ancestors directive to the current shop domain and the admin domain, so that the app can only be framed within the shop admin:

If your app is not embedded, set the frame-ancestors directive to 'none' to disallow all framing: