diff --git a/nginx.conf b/nginx.conf
index b2f3605..146e954 100755
--- a/nginx.conf
+++ b/nginx.conf
@@ -309,59 +309,29 @@ server {
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
 
-    #***# PORTAINER: API direkt weiterleiten (kein auth_request)
-    location ^~ /api/ {
-        proxy_pass http://127.0.0.1:9000;   #***# auf lokalen Portainer HTTP Backend zeigen
-        proxy_http_version 1.1;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Proto https;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    }
-
-    #***# PORTAINER: statische Assets / locales ebenfalls ohne auth (wichtig für i18n)
-    location ~* \.(?:js|css|json|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
-        proxy_pass http://127.0.0.1:9000;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-Proto https;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    }
-
-    location ^~ /locales/ {
-        # explizit für i18n Pfade
-        proxy_pass http://127.0.0.1:9000;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-Proto https;
-    }
-
-    # Haupt-UI: auth_request greift nur hier (UI), nicht für /api/ oder Assets
     location / {
         auth_request /nginxauth;
 
-        proxy_pass http://127.0.0.1:9000/;   #***# auf lokales Portainer HTTP Backend zeigen
-
+        proxy_pass http://portainer:9000;
         proxy_http_version 1.1;
+
         proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Connection "upgrade";
 
-        #***# PORTAINER HOST FIX:
-        proxy_set_header Host $host;                         #***# PORTAINER HOST
-        proxy_set_header X-Forwarded-Host $host;            #***# PORTAINER HOST
-        proxy_set_header X-Forwarded-Proto https;           #***# PORTAINER HOST
-
-        proxy_set_header Origin $http_origin;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
+        # WICHTIG FÜR IFRAME
         proxy_hide_header X-Frame-Options;
-        add_header X-Frame-Options "ALLOWALL" always;
-
         proxy_hide_header Content-Security-Policy;
-        add_header Content-Security-Policy "frame-ancestors *" always;
+
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header Content-Security-Policy "frame-ancestors https://server.schooltech.ch" always;
     }
 
+
     location = /nginxauth {
         internal;
         proxy_pass http://appserverauth:3000/internal/auth;   #***# AUTH