diff --git a/custom/cryptpad/conf.d/cryptpad.conf b/custom/cryptpad/conf.d/cryptpad.conf
index 8aa3515..3b38345 100644
--- a/custom/cryptpad/conf.d/cryptpad.conf
+++ b/custom/cryptpad/conf.d/cryptpad.conf
@@ -11,9 +11,6 @@ server {
     set_real_ip_from  10.0.0.0/8;
     real_ip_header    X-Forwarded-For;
 
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "Upgrade";
-
     # CryptPad serves static assets over these two domains.
     # `main_domain` is what users will enter in their address bar.
     # Privileged computation such as key management is handled in this scope
@@ -33,8 +30,8 @@ server {
     #
     # An example is given below which can be uncommented if you want to block
     # remote sites from including content from your server
-    set $allowed_origins "*";
-    # set $allowed_origins "https://${sandbox_domain}";
+    # set $allowed_origins "*";
+    set $allowed_origins "https://${sandbox_domain}";
 
     # CryptPad's dynamic content (websocket traffic and encrypted blobs)
     # can be served over separate domains. Using dedicated domains (or subdomains)
diff --git a/custom/cryptpad/config.js b/custom/cryptpad/config.js
index 4d86ab3..053341f 100644
--- a/custom/cryptpad/config.js
+++ b/custom/cryptpad/config.js
@@ -46,7 +46,7 @@ module.exports = {
      *  cryptpad/docs/example.nginx.conf (see the $main_domain variable)
      *
      */
-    httpUnsafeOrigin: 'http://localhost:3000',
+    httpUnsafeOrigin: 'https://pad.ixvd.net',
 
     /*  httpSafeOrigin is the URL that is used for the 'sandbox' described above.
      *  If you're testing or developing with CryptPad on your local machine then
@@ -67,7 +67,7 @@ module.exports = {
      *
      *  CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
      */
-    httpSafeOrigin: "https://pad.ixvd.net",
+    httpSafeOrigin: "https://pad.sandbox.neo.ixvd.net",
 
     /*  httpAddress specifies the address on which the nodejs server
      *  should be accessible. By default it will listen on 127.0.0.1