Attributed browser widget

Embeddable Search Widget

Create a snippet for a widget-tier API key constrained to your exact browser origin.

How it works

The self-hosted script creates a labelled search field, calls the dedicated widget endpoint and displays a short list of links back to IFSCPIN.in. It does not copy the source dataset into the host page and does not load advertising or analytics.

Security model

Create a widget-tier key in administration and list the allowed origin, including scheme and host. The endpoint checks the key, origin, daily quota and abuse-safe IP signal. Wildcard CORS is not used.

Accessibility and fallback

The widget uses normal labels, keyboard-selectable links and a visible attribution. If JavaScript fails, the host should retain a normal link to the IFSCPIN search page.

Privacy

Do not prefill personal or financial details. Queries are used only to return directory suggestions and are not sent to third-party analytics by the widget.

Use a dedicated widget-tier key

The widget runs in a visitor’s browser, so its key is visible in page source and network requests. Never place a server, paid or internal API key in the snippet. Create a widget-tier key with a modest daily quota and one or more exact HTTPS origins. The endpoint checks the key type, request origin, daily usage and short-burst rate limit before returning suggestions.

Exact-origin CORS policy

The service does not use wildcard CORS. An allowed origin includes the scheme, hostname and optional port, such as https://example.com. Paths and wildcards are not accepted. A request from a different subdomain is a different origin and must be approved separately. This reduces casual reuse of a public browser key on unrelated sites.

What the script adds

The self-hosted JavaScript creates a labelled search input, a status region and a compact list of destination links. Results lead back to IFSCPIN.in, preserving source context and attribution. The widget does not copy the RBI or India Post datasets into the host page, does not expose internal record IDs and does not load advertising or third-party analytics.

Accessibility and resilience

The generated interface uses a visible label, keyboard-operable result links, readable status text and ordinary HTML navigation. The host page should also include a normal link to IFSCPIN.in so visitors retain a usable path when JavaScript, cross-origin requests or the widget service are unavailable. Do not place the widget inside a control that traps focus.

Privacy-safe integration

Do not prefill bank account numbers, phone numbers, email addresses, card details or other personal information. The query should be a public bank, branch, IFSC, PIN, post office, city, guide or tool term. The endpoint applies privacy-safe query handling and does not send widget searches to advertising systems.

Operational checklist

  1. Create a widget-tier key and copy it once.
  2. Register the exact production origin.
  3. Test keyboard navigation and mobile layout.
  4. Monitor quota and error counts in administration.
  5. Rotate or revoke a key exposed on an unauthorized origin.
  6. Keep the required attribution and link intact.

Use separate keys for development and production so a test-domain leak can be revoked without interrupting the live widget. Review the allowed-origin list after domain changes, and remove keys that have not been used or no longer have an accountable owner.