You need to set allow-from-uri to empty string so it uses SAMEORIGIN. 'X-Frame-Options': meta.config['allow-from-uri'] ? 'ALLOW-FROM ' + encodeURI(meta.config['allow-from-uri']) : 'SAMEORIGIN', We will have to update the code since ALLOW-FROM seems to be deprecated. https://github.com/NodeBB/NodeBB/issues/8432 barisusakli created this issue in NodeBB/NodeBB open update ALLOW-FROM #8432