I tried using the header directive indeed but it can get overwritten by the proxied service I think. I guess it would work in all cases if I put it after the reverse_proxy block but I didn’t try that.
I didn’t have time earlier to follow your advice about handle_path but I’ll be doing that now! Thanks for the tip!
Do you have an idea how to allow the iframe to work only from my subdomain? What I have in mind is to add a content-security-policy with frame-src at the same place I remove the x-frame-options.