Public AIT embed¶

The AIT area exposes two public pages that a municipality embeds via iframe on its own website, for its residents, without the bat-id app: a read-only interactive map and the list of public consultations. Decoupled from any AIT session.

Read-only, no private data

Public routes: no authentication, no AIT session, no Policy. No alert zone, no bat-id identifier, no private data. No write operation possible.

Endpoints¶

Method	Route	Content
`GET`	`/ait/embed/{municipality}`	Interactive map (geometric shapes of the municipality)
`GET`	`/ait/embed-alerts/{municipality}`	List of public consultations (BO notices)

{municipality} = identifier of the municipality (route-model binding). Optional language on the map:

GET /ait/embed/{municipality}?lang=fr   (or lang=de ; default = application locale, fallback fr)

Interactive map — `/ait/embed/{municipality}`¶

Serves the geometric shapes published by the municipality.

Payload per shape: title, information, colour, target audiences, pictograms, validity bounds (valid_from, valid_until).
Time slice (past / present / future) computed server-side; period filter applied client-side.
Client filters on the target audiences and pictograms actually present.
Geometries served as GeoJSON (FeatureCollection).

Valid shapes only

The server exposes only shapes intended for public distribution. No alert zone or personal data in the payload.

List of alerts — `/ait/embed-alerts/{municipality}`¶

Notices from the municipality's official bulletin (up to 300, most recent first), without a map. Per entry: date, age in days, parcels concerned, category, title, source, link to the PDF. A discreet bat-id mention encouraging geolocation. Active by default for all municipalities.

`iframe` integration¶

Headers configured for these two routes only:

Content-Security-Policy: frame-ancestors * — allows embedding by any third-party municipal site.
X-Frame-Options removed — neutralised in case a reverse proxy adds a DENY/SAMEORIGIN. On modern browsers, frame-ancestors prevails; both cases are covered.

Scope of the headers

Limited to the two embed routes. No global header middleware is touched.

Responsive example¶

<div style="position:relative; width:100%; padding-top:62.5%;">
  <iframe
    src="https://demo.bat-id.ch/ait/embed/{ID_COMMUNE}?lang=fr"
    title="Carte des mises à l'enquête"
    loading="lazy"
    style="position:absolute; inset:0; width:100%; height:100%; border:0;"
    referrerpolicy="no-referrer">
  </iframe>
</div>

For the list of alerts, replace the path with /ait/embed-alerts/{ID_COMMUNE}.

Best practices

loading="lazy" + a fixed-ratio container to avoid layout shift. The domain depends on the environment (demo / production) — check the exact URL on the AIT side.