From 4ea1e66cdf3bf5c33feb196035d15d65f45601df Mon Sep 17 00:00:00 2001
From: codex_a <codex-a-wsl@users.noreply.github.com>
Date: Wed, 4 Mar 2026 20:51:23 +0000
Subject: [PATCH] fix(preview): align frame policy and canonical host for
 Wagtail preview

---
 deploy/caddy/nohype.caddy | 47 +++++++++++++++++++++------------------
 deploy/entrypoint.prod.sh |  9 ++++++--
 2 files changed, 32 insertions(+), 24 deletions(-)

diff --git a/deploy/caddy/nohype.caddy b/deploy/caddy/nohype.caddy
index 4faa1f6..b45972a 100644
--- a/deploy/caddy/nohype.caddy
+++ b/deploy/caddy/nohype.caddy
@@ -1,23 +1,26 @@
-nohypeai.net, www.nohypeai.net {
-  encode gzip zstd
-
-  header {
-    X-Content-Type-Options nosniff
-    X-Frame-Options DENY
-    Referrer-Policy strict-origin-when-cross-origin
-    Permissions-Policy "geolocation=(), microphone=(), camera=()"
-    X-Forwarded-Proto https
-  }
-
-  handle_path /static/* {
-    root * /srv/sum/nohype/static
-    file_server
-  }
-
-  handle_path /media/* {
-    root * /srv/sum/nohype/media
-    file_server
-  }
-
-  reverse_proxy localhost:8001
+www.nohypeai.net {
+	redir https://nohypeai.net{uri} permanent
+}
+
+nohypeai.net {
+	encode gzip zstd
+
+	header {
+		X-Content-Type-Options nosniff
+		Referrer-Policy strict-origin-when-cross-origin
+		Permissions-Policy "geolocation=(), microphone=(), camera=()"
+		X-Forwarded-Proto https
+	}
+
+	handle_path /static/* {
+		root * /srv/sum/nohype/static
+		file_server
+	}
+
+	handle_path /media/* {
+		root * /srv/sum/nohype/media
+		file_server
+	}
+
+	reverse_proxy localhost:8001
 }
diff --git a/deploy/entrypoint.prod.sh b/deploy/entrypoint.prod.sh
index 1bb119c..41daef4 100755
--- a/deploy/entrypoint.prod.sh
+++ b/deploy/entrypoint.prod.sh
@@ -7,11 +7,16 @@ python manage.py migrate --noinput
 python manage.py collectstatic --noinput
 python manage.py update_index
 
-# Set Wagtail site hostname from first entry in ALLOWED_HOSTS
+# Set Wagtail site hostname from WAGTAILADMIN_BASE_URL when available.
+# This keeps preview/page URLs on the same origin as the admin host.
 python manage.py shell -c "
 from wagtail.models import Site
 import os
-hostname = os.environ.get('ALLOWED_HOSTS', 'localhost').split(',')[0].strip()
+from urllib.parse import urlparse
+
+admin_base = os.environ.get('WAGTAILADMIN_BASE_URL', '').strip()
+parsed = urlparse(admin_base) if admin_base else None
+hostname = parsed.hostname if parsed and parsed.hostname else os.environ.get('ALLOWED_HOSTS', 'localhost').split(',')[0].strip()
 Site.objects.update(hostname=hostname, port=443, site_name='No Hype AI')
 "
 
-- 
2.49.1