Open source
MIT licensed- Self-host the Go binary anywhere
- No quotas, no API keys, no accounts
- Run alongside your other infra
- One-click deploy: Railway, Render, Fly, Koyeb
- Source on GitHub
Managed relay + open-source runtime
A managed relay for the third-party APIs your frontend has to call — API keys, rate limits, logs, and a dashboard out of the box. Self-host the same runtime when policy or scale requires it.
Fix CORS without shipping a throwaway backend. Free tier — no credit card.
Sign in, create an API key, and start sending requests through the hosted proxy with usage tracking and daily limits.
curl -H "X-API-Key: sk_live_..." \
"https://api.corsproxy.dev/proxy?url=https://api.github.com/users/octocat"
# Browser-friendly form
https://api.corsproxy.dev/proxy?url=https://api.github.com/users/octocat&key=sk_live_...
Create a free account →
Single ~10MB binary. Zero dependencies. Deploys to Railway, Render, Fly, or your own box.
git clone https://github.com/melihbirim/corsproxy
cd corsproxy
go run main.go # listens on :8080
Read the README →
Build browser integrations without standing up a custom relay service. Point your frontend at corsproxy.dev, add an API key, and you're done.
Per-key rate limits, request logs, and abuse controls instead of a public proxy or a one-off serverless function with no governance.
Start managed. Move to the open-source runtime when policy or scale requires it — same proxy core, same wire protocol.
Atomic per-key daily quotas via Cloudflare Durable Objects, blocked private-network targets, and 30-day request history for debugging.
Per-key request counts, error rates, and rate-limit headroom in the dashboard. Export your data anytime.
Data export, account deletion with full erasure, and EU-friendly retention defaults. Designed for production from day one.
What the browser is actually doing, why your server "refuses" to respond, and three concrete ways to fix it.
SSRF, credential laundering, bandwidth burn. The honest threat model and the mitigations corsproxy.dev applies.
Vite proxy, webpack dev-server, server-side headers, the disabled-security browser, and a CORS proxy.
Machine-readable contract for every endpoint. Drop into Stoplight, Swagger UI, Insomnia, or a code generator.
openapi.yaml →Import directly. Two collection variables (jwt + api_key) and you're calling every endpoint.
Live health probes of the API worker, marketing site, dashboard, and Cloudflare edge — checked from your network.
corsproxy.dev/status →