if you're trying to embed nodebb on another site (i.e., the nodebb instance domain ISN'T your website's domain), you'll have to contend with CSP headers. just a heads up. if you have full control of the server on which your nodebb instance is hosted, you could set up a simple reverse proxy with nginx, point it to whatever port nodebb is listening on, and set the headers to something lax that way. config below. server { listen localhost:4000 ssl; server_name localhost; ssl_certificate /etc/nginx/ssl/localhost.crt; ssl_certificate_key /etc/nginx/ssl/localhost.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'AES128+EECDH:AES128+EDH'; ssl_prefer_server_ciphers on; location /forum { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; client_max_body_size 100M; proxy_pass http://127.0.0.1:4567; proxy_redirect off; proxy_intercept_errors on; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_hide_header content-security-policy; proxy_hide_header x-frame-options; add_header content-security-policy "default-src * 'unsafe-eval' 'unsafe-inline' 'self' 'inline' 'http://*.*'"; } } you can append whatever domains you'd like to the 3rd to last line (the one that starts with add_header ...), though you shouldn't need to, since the * should whitelist all origins. you might ask, “what legitimate use would there be for this?!?” in my particular case, it's nice for local development — where your nodebb instance is already running elsewhere but you want to embed it in the site you're developing on your PC.