In the http headers of the http://flusko.net requests the header X-Frame-Options is set to DENY.
This causes the image upload popup in the forum to fail to display on modern browser, and disables the on-the-fly attachment processing.
I think they should be considered to be turned off for at least the /img_assist/ and /upload/ html resources.
In nginx this is possible with
location ~* ^/(img_assist/.*|upload/.*)$ {
add_header X-Frame-Options "SAMEORIGIN";
}
Validate the exact security and performance implications for yourself please!
The more refined successor is the frame ancesotrs directive (https://www.w3.org/TR/CSP2/#directive-frame-ancestors)