How to embed HedgeDoc content - Iframe impossible

My version of HedgeDoc is: 1.9.2~ynh1

What I expected to happen: I have a main domain and a subdomain. I want to write my pads on the subdomain and embed them on my main domain with an iframe.

What actually happened:

Where there is the iframe my browser says “ does not allow connection.”

I’ve already tried:

    "production": {
        "protocolUseSSL": true,
        "domain": "",
        "port": "3000",
        "urlPath": "acceuil",
        "loglevel": "info",
        "useCDN": false,
        "allowGravatar": false,
        "allowFreeURL": false,
        "allowAnonymousEdits": true,
        "defaultPermission": "locked",
        "email": true,
        "allowEmailRegister": true,
        "imageUploadType": "filesystem",
        "tooBusyLag": 1000,
        "cookiePolicy": "none",
        "hsts": {
            "enable": true,
            "maxAgeSeconds": 31536000,
            "includeSubdomains": true,
            "preload": true
        "csp": {
            "enable": true,
            "directives": {
            "upgradeInsecureRequests": "auto",
            "addDefaults": true,
            "addDisqus": true,
            "addGoogleAnalytics": false,
            "allowFraming": true

and then :

systemctl restart hedgedoc

Without success, I don’t know what to do … :confused:

1 Like

Hello Nicolas,

Could you post the solution here for future inquiry ?

Thank you !

I have uninstalled HedgeDoc from the subdomain. I reinstalled it on the same domain as the wordpress.




That solved my problem.

I just asked a similar question in the matrix forum about using Hedgedoc as a collaborative CMS. What I’ve hacked together is to have nginx on the toplevel domain proxy the hedgedoc site while also rewriting the CSP headers. You can see it in action at

I’m not an expert in any of this, so there may be a better way to do it…

        server_name ${DOMAIN_NAME};
        # Redirect empty file name to Main_Page
        location = / {
                return 302 https://${DOMAIN_NAME}/Main_Page;
        # Proxy other page names to /s/pagename, replace CSP
        location / {
                proxy_hide_header Content-Security-Policy;
                add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.${DOMAIN_NAME}; frame-src 'self' *.${DOMAIN_NAME}; object-src 'self'; base-uri 'self' *.${DOMAIN_NAME}";
                proxy_pass https://docs.${DOMAIN_NAME}/s$request_uri;
        # javascript and config stuff goes to non-static hedgedoc site as is
        location ~ ^/(js|build|config) {
                proxy_pass http://docs.${DOMAIN_NAME}$request_uri;
1 Like