Does Cloudflare strip security headers from the origin? Is there a way to get those to passthru?
X-Frame-Options is modified from DENY to SAMEORIGIN
I see a few posts about this with mixed responses.
This same site has very different results.