Change the X-Frame-Options to allow all domains

Question

I am trying to use some site of mine as an iframe from a different site of mine.

My problem is- the other site is always consistently changes his IP address

Answer 1

Well you can check the ip address of the remote host from the server. You can then send a X-Frame-Options response HTTP header with the value: "Allow-From ip-address", where ip address is the remote ip address that is trying to embed content on your server. This will allow your website to be embedded by all websites that are accessed using an ip address from the browser.

Another option is to embed the content in iframe and include the domain name in the iframe source url. The domain name parameter can be read by the server and included in the X-Frame-Options response header.

Answer 2

ALLOWALL is the default value.

Sometimes frameworks MVC such as Rails, Laravel, Django and so on, set a X_FRAME_OPTIONS to SAMEORIGIN so someone might need to reset it to the origin ALLOWALL value.

Answer 3

If you set it, then you can only set it to DENY, SAMEORIGIN, or ALLOW-FROM (a specific origin).

Allowing all domains is the default. Don't set the X-Frame-Options header at all if you want that.

Note that the successor to X-Frame-Options — CSP's frame-ancestors directive — accepts a list of allowed origins so you can easily allow some origins instead of none, one or all.