diff --git a/sites-available/cryptpad.conf b/sites-available/cryptpad.conf
index 43f01ab..83d450c 100644
--- a/sites-available/cryptpad.conf
+++ b/sites-available/cryptpad.conf
@@ -19,7 +19,7 @@ server {
 server {
 	listen 443 ssl http2;
 
-	add_header Onion-Location http://pad.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri;
+	#add_header Onion-Location http://pad.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri;
 
 	# CryptPad serves static assets over these two domains.
 	# `main_domain` is what users will enter in their address bar.
@@ -136,8 +136,8 @@ server {
 	# this must include 'self' and your main domain (over HTTPS) in order for CryptPad to work
 	# if you have enabled remote embedding via the admin panel then this must be more permissive.
 	# note: cryptpad.fr permits web pages served via https: and vector: (element desktop app)
-	#set $frameAncestors "'self' https://${main_domain}";
-	set $frameAncestors "'self' https: vector:";
+	set $frameAncestors "'self' https://${main_domain}";
+	#set $frameAncestors "'self' https: vector:";
 
 	set $unsafe 0;
 	# the following assets are loaded via the sandbox domain