AeroModel
Documentation
CORS
The API returns permissive CORS headers to allow browser calls.
Headers sent
access-control-allow-origin: *
access-control-allow-methods: GET, OPTIONS
access-control-allow-headers: x-api-key, authorization, content-type
access-control-expose-headers: cf-cache-status, x-image-source, x-livery-state, x-fallback-reason, x-compose-align, x-compose-pitch
access-control-max-age: 86400
OPTIONS preflight
For requests with a non-simple header (e.g. x-api-key), the browser first sends a preflight:
OPTIONS /v1/images/plane HTTP/1.1
Origin: https://example.com
Access-Control-Request-Method: GET
Access-Control-Request-Headers: x-api-key
The API replies 204 No Content with the headers above.
Restrict to your domain
The API does not currently support origin restriction server-side (auth is via API key). To restrict usage to your site, route through a backend proxy:
[Browser] → [Your backend (checks Origin)] → [api.aeromodel.dash-systems.fr (with key)]
See API key safety.
Loading an image without CORS
Loading the image via <img src="..."> does not invoke CORS — that's only for fetch() and XHR. Therefore:
<!-- No CORS issue -->
<img src="https://api.aeromodel.dash-systems.fr/v1/images/plane?plane=A320&airline=AF" />
// Subject to CORS — your origin must be allowed
const r = await fetch("https://api.aeromodel.dash-systems.fr/v1/images/plane?plane=A320&airline=AF", {
headers: { "x-api-key": "<key>" }
});
const blob = await r.blob();
The API allows *, so any fetch works. However, the API key exposed client-side is visible. That's why we recommend a proxy.