ERROR: Blocked by X-Frame-Options Policy

Hi everyone,

I’m getting the below error:

The reason is because I’m running a reverse proxy (using Cloudflare workers) to proxy all traffic

And it works well for the most part. It is fully usable. But these are the other things that aren’t working:

  1. Search
  2. Appending a /edit to the end of a blog post to edit it

I think it has something to do with the content API

Would really appreciate some help to point me in the right direction.

Thank you!

@vikaspotluri123 Would you know?

I read your reply here, and I’m not sure if I need to change anything in my Nginx configuration.
After all, I have set up cloudflare to do all the re-directing.


If you’re running the admin panel on a different domain, try setting the admin url (search for admin on this page):

Hi @vikaspotluri123,
I suppose that does apply to me. I’m technically running the admin panel on

So I ran the command ghost config admin.url https://

But, unfortunately I’m now in a 502 error that I can’t resolve.
502 Bad Gateway
nginx/1.10.3 (Ubuntu)

I’ve tried to re-setup nginx, restart ghost - to no avail.

ghost log -f shows that ghost is running fine on production & no error.

Bit stumped. Anything I could try?
Is there a way to revert my changes?

I don’t think it’s possible to remove a config key. You’ll have to manually edit the config file and remove the

"admin": {
    "url": ""


The bad gateway error makes me think something is messed up in the DNS / IP level in terms of how you configured your domain / proxy

As soon as I removed that config key, it started to work again :slight_smile:

Though, I’m still where i was w.r.t to the original problem - but at least things are back up and running!

did you add any custom headers to the blog response?

I haven’t added any custom headers.
But, we do use Cloudflare workers to proxy traffic - so I don’t know if that is adding something to the response.

I have a feeling this might be a limitation of the default nginx configuration. If you set up SSL, it adds this line by default:

The workaround is to comment that line out, or add logic to send the allow header if you’re on the Admin origin

I’ll check that out, but when I’ve I understand nginx better.
I’m bit worried I’ll break things again :slight_smile: