The short answer
BigCommerce lets you set security headers natively. Go to Settings > Security & Privacy > Storefront and you can configure Content-Security-Policy, Strict-Transport-Security and X-Frame-Options. There is a nonce option for CSP too.
No plan gate. No support request. No proxy. That puts BigCommerce ahead of Shopify, Wix and Squarespace, where storefront headers are either impossible or locked behind an enterprise contract.
You can also set the same values through the API with a PUT to /v3/settings/storefront/security, and optionally scope them per channel if you run more than one storefront.
What you get by default
At the time of writing, a BigCommerce storefront already responds with some protection before you touch anything. These are our own measurements, not a vendor promise, so treat them as a starting point and verify your own store.
Present by default. It stops browsers guessing file types. You get this for free, which is handy because it is not one you can configure yourself.
Deny by default, which blocks other sites from putting your store in an iframe. Strong anti-clickjacking protection out of the box.
Not set by default. This is the one worth your attention, and it is the one BigCommerce gives you a field for.
Configurable in the same panel, but you choose the value from a fixed list rather than typing one.
How to set them
The whole job is in one screen.
- 1.In your BigCommerce control panel, go to Settings > Security & Privacy > Storefront.
- 2.Set X-Frame-Options. Your choices are Deny, Same Origin or Allow from url. Deny is the safest default. Pick Same Origin only if your own pages frame each other, and Allow from url only if a specific partner site genuinely needs to embed you.
- 3.Set Strict-Transport-Security. Make sure HTTPS already works everywhere on your store first. See our SSL guide for BigCommerce if you are not sure.
- 4.Add your Content-Security-Policy value. Keep it short. There is a hard cap here, covered below.
- 5.Save, then reload your storefront and check the headers actually changed. A free check will show you what your store is really sending.
The limits, stated plainly
BigCommerce does this better than its competitors, but it is not full control. These are the walls you will hit.
- →The CSP value is capped at 1,000 characters. This is the big one. A real-world policy for a store with analytics, a chat widget, payment scripts and a few apps blows past 1,000 characters quickly. You will be writing a deliberately tight policy, not a comprehensive one.
- →HSTS max-age is not free-form. You pick from three options: zero, five minutes, or one year. If you want preload, you need the twelve-month setting plus includeSubDomains.
- →X-Frame-Options is a dropdown. Deny, Same Origin, or Allow from url. That covers nearly every real need, so this one rarely bites.
- →Referrer-Policy and X-Content-Type-Options are not configurable. BigCommerce sets X-Content-Type-Options for you anyway, so in practice Referrer-Policy is the only genuine gap.
- →No arbitrary headers. You get the three fields listed above and nothing else. There is no place to type a header name of your own.
A CSP that fits the cap
Start narrow and widen only where your store breaks. Here is a short, sane starting policy that leaves room under the 1,000-character limit for the handful of domains your apps need.
default-src 'self';
script-src 'self' https://www.googletagmanager.com;
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self' data:;
connect-src 'self';
frame-ancestors 'none';
base-uri 'self';
form-action 'self'This is a starting point, not a drop-in. Every store runs different apps, and a CSP that blocks a payment or analytics script is worse than no CSP. Test it on a staging channel, watch the browser console for blocked requests, and add only the domains you actually need. Remember every character you add counts against the 1,000 cap.
Filling the Referrer-Policy gap with Cloudflare
If you want the two headers BigCommerce will not set, putting Cloudflare in front is a real option and, unusually, an officially supported one. It works on any Cloudflare zone plan, it is not gated behind an enterprise deal, there is no downtime, and you do not need a new certificate. That is a much better story than Shopify, where the same approach is explicitly unsupported.
There is one hard failure mode and it will take your store offline. In BigCommerce's own words, the store domain must not be pointed via an A record. It must be pointed via a CNAME. Get this wrong and your store goes down with a Cloudflare 1000 error. Check how your domain is pointed before you start, not after.
Honest advice: this is worth doing if you have a specific reason to want Referrer-Policy or another custom header. For most stores, the native panel covers what matters and adding a proxy layer is more risk than reward.
A note on plan names
BigCommerce renamed its tiers on 1 June 2026. Standard became Core, Plus became Growth, Pro became Scale, and Enterprise became Performance. Older guides, including some still on the web today, name the old tiers. Security headers are not plan-gated at all, so this does not affect anything on this page, but it is worth knowing when you read anything else about BigCommerce.
What we would actually do
Set X-Frame-Options to Deny. Turn on HSTS at one year once HTTPS is solid. Write a tight CSP, test it properly, and accept that the 1,000-character cap means it will be modest rather than perfect. Skip Cloudflare unless you have a concrete need.
Then spend the rest of your time on email. Your SPF record and DMARC record live in DNS, where you have complete freedom, and people faking emails from your store is a far more common attack than clickjacking.
Run your site through our free safety check to confirm the fix is live, and see what else a shopper would notice.
Run a free checkFrequently asked questions
Do I need a support ticket or a higher plan to set security headers on BigCommerce?
No. Header settings are in the control panel under Settings > Security & Privacy > Storefront, and they are available on all plans. This is genuinely one of the things BigCommerce does better than other hosted platforms.
Why does my Content-Security-Policy get cut off?
The CSP field has a hard cap of 1,000 characters. That is tight for a real store with analytics, chat and payment scripts. Keep the policy narrow, use short source lists, and add domains only when you have confirmed something is broken without them.
Can I set a custom HSTS max-age on BigCommerce?
No. The max-age is not free-form. You choose between zero, five minutes, and one year. If you want to submit your domain for preload you need the twelve-month option plus includeSubDomains. Do not enable preload casually, because getting off the preload list takes months.
How do I add a Referrer-Policy header on BigCommerce?
You cannot, not from the control panel. Referrer-Policy and X-Content-Type-Options are the two headers BigCommerce does not expose. X-Content-Type-Options is set for you by default anyway. For Referrer-Policy your only route is putting Cloudflare in front, which BigCommerce officially supports, but your domain must be pointed by CNAME and not by an A record or the store goes down.
Can I set headers per storefront?
Yes. As well as the control panel, you can set these values with a PUT to /v3/settings/storefront/security, and that call can optionally be scoped per channel. That is useful if you run several storefronts with different needs.