> Caution: > This documentation covers App Bridge versions 3 and prior, which are installed from npm. You may want to view documentation for the current CDN version of [App Bridge](/docs/api/app-bridge-library). If you created your app with [Shopify CLI](/docs/apps/build/cli-for-apps) 3.x or higher, then your app is already set up so it can be embedded in the Shopify admin. Otherwise, you need to perform a few steps to configure your app so it can be embedded. ## Turn on embedding in the Partner Dashboard By default, all new apps are embedded in the Shopify admin. You can embed an existing app with the following steps: 1. From your [Partner Dashboard](https://partners.shopify.com/organizations), click **Apps**. 1. Click the name of your app. 1. Click **Configuration**. 1. In the **Embedded in Shopify admin** section, set the value for **Embed app in Shopify admin** to **True**. 1. If you plan to [embed your app in Shopify POS](/docs/api/app-bridge/previous-versions/actions/pos), then, in the **POS** section, set the value for **Embed app in Shopify POS** to **True**. 1. Click **Save and release**. > Caution: > If you enable this feature for an existing app that isn't designed to use Shopify App Bridge, then users will no longer be able to use the app. ## Serve your app over HTTPS You must serve your embedded applications over HTTPS. The Shopify admin uses HTTPS for all pages. Failure to serve an embedded app over HTTPS will cause errors in web browsers, due to [mixed content restrictions](https://developer.mozilla.org/en-US/docs/Security/MixedContent). Learn more about [serving your app over HTTPS](/docs/apps/build/security/encrypt-with-tls). > Tip: > To simplify local development, use Shopify [CLI](/docs/apps/build/cli-for-apps). ## Set the frame-ancestors directive The Content Security Policy `frame-ancestors` directive controls where the app can be framed. You must ensure your app is only frameable by the authenticated shop domain and the admin domain to avoid clickjacking attacks. You can do this with the Content Security Policy `frame-ancestors` directive: ``` Content-Security-Policy: frame-ancestors https://example.myshopify.com https://admin.shopify.com; ``` Learn more about the [`frame-ancestors` directive and app security](/docs/apps/build/security/set-up-iframe-protection). > Note: > The `frame-ancestors` directive replaces the obsolete `X-Frame-Options` response header. ## Authorize with OAuth Embedded apps should use [token exchange](/docs/apps/build/authentication-authorization/access-tokens/token-exchange) to obtain an access token. Depending on your needs, you can request an [online](/docs/apps/build/authentication-authorization/access-tokens/online-access-tokens) or [offline](/docs/apps/build/authentication-authorization/access-tokens/offline-access-tokens) access token. ## Set up Shopify App Bridge 3 in your app Shopify App Bridge 3 is available as [a JavaScript module on npm](https://www.npmjs.com/package/@shopify/app-bridge). You can install it in your app using [npm](https://www.npmjs.com/get-npm) or [yarn](https://yarnpkg.com/en/). > Tip: > We recommend installing the latest version of [App Bridge](https://shopify.dev.com/docs/api/app-bridge-library) for an improved experience and to future proof your app.