{% if applications.get(application_id, {}).get('features', {}).get('iframe', False) %} add_header X-Frame-Options "SAMEORIGIN" always; add_header Content-Security-Policy "frame-ancestors 'self' {{primary_domain}};" always; {% endif %}