add_header X-Frame-Options "SAMEORIGIN" always;                                     # Allow iframe embedding only from the same origin
{% if landingpage_iframe_enabled | default(applications.get(application_id).get('landingpage_iframe_enabled')) | bool %}
  add_header Content-Security-Policy "frame-ancestors {{primary_domain}};" always;  # Restrict embedding to the specified primary domain
{% endif %}