### Config * `EMBED_ALLOWED_ORIGINS` – comma-separated list; supports `*` wildcards. * Send appropriate headers: * `Content-Security-Policy: frame-ancestors <origins>` * `X-Frame-Options: ALLOW-FROM <first-origin>` (or `ALLOWALL` if `*`) ### Query parameters | param | default | description | | -------------- | ------- | -------------------------------------------- | | `id` | – | deep-link to a single card (`/embed?id=123`) | | `dateFrom` | – | ISO start date filter | | `dateTo` | – | ISO end date filter | | `showArchived` | `false` | include archived cards | | `slideshow` | `false` | slideshow mode | | `interval` | `60` | seconds per slide | ### Behaviour 1. If `id` is present, render that card only. 2. Otherwise apply filters and render a list (gallery mode). 3. When `slideshow=true`, use the single mode and cycle cards every `interval` seconds. 4. Reject iframe requests if `Origin` is not in `EMBED_ALLOWED_ORIGINS`. ### Acceptance criteria * Valid origins can embed; invalid ones get **403**. * Single-card and filtered modes both return standalone HTML. * Rotation works with 60 s default and custom intervals. * Archived cards appear only when `showArchived=true`.
Config
EMBED_ALLOWED_ORIGINS– comma-separated list; supports*wildcards.Send appropriate headers:
Content-Security-Policy: frame-ancestors <origins>X-Frame-Options: ALLOW-FROM <first-origin>(orALLOWALLif*)Query parameters
id/embed?id=123)dateFromdateToshowArchivedfalseslideshowfalseinterval60Behaviour
idis present, render that card only.slideshow=true, use the single mode and cycle cards everyintervalseconds.Originis not inEMBED_ALLOWED_ORIGINS.Acceptance criteria
showArchived=true.