My application is directly accessing the ODS FHIR API from the browser. We have several subdomains for testing. If I make a request e.g. https://directory.spineservices.nhs.uk/STU3/Organization/E84044 from dev.mydomain.com, and then the same request from staging.mydomain.com, the second request fails with a CORS error as the Access-Control-Allow-Origin header in the response is still set to dev.mydomain.com. However if I make a request for a different ODS code from from staging.mydomain.com, it’s fine.

It feels like the origin for a request is being cached by the API for specific urls perhaps based on the originating IP address? Is this a deliberate security feature or something unintended?

Hello jstarmx,

Take a look at this post:

Change to the ORD and STU3 made 5th Sep - Services / Organisation Data Service (ODS) - NHS Digital Developer Community

Thanks very much @alan.rawlings2, I’m still seeing the issue as of yesterday so may reach out to the email address you provided on the other thread.