Notes on CORS, proxies, and web security

Working notes from the team behind corsproxy.dev. Plain-English explanations and honest tradeoffs.

Why am I getting a CORS error? — a practical guide

The browser console says "blocked by CORS policy". What that actually means, why it happens, and three ways to fix it — with code.

Tutorial · ~7 min read

How to enable CORS in Node.js and Express

The one-line dev fix, the production-ready allowlist, the per-route configuration, and the common gotchas — with copy-paste code.

Tutorial · ~6 min read

CORS with cookies and credentials: the rules that bite

Your login sets a cookie but the next request comes back logged out. The four moving parts that all have to align, with code and the most common failures.

Deep dive · ~8 min read

5 ways to fix CORS in development

Vite proxy config, webpack-dev-server, server-side CORS, a flag-disabled browser, and a CORS proxy. Five practical fixes, ordered by how production-safe each one is.

How-to · ~6 min read

Free CORS proxy: 5 options compared in 2026

cors-anywhere, allorigins, ThingProxy, corsproxy.io, and corsproxy.dev. Which ones are still maintained, what their limits are, and what to watch out for.

Comparison · ~6 min read

How a CORS proxy works — and how it can be abused

CORS proxies are powerful and, by default, dangerous. Here's how an open relay can be weaponised, and what corsproxy.dev does to make sure ours isn't one.

Security · ~9 min read

Self-host vs managed CORS proxy: which one for which job?

Same proxy core, two operational shapes. Cost, control, security, and ops — when each one wins, and how to switch between them.

Comparison · ~7 min read

Migrating from cors-anywhere to corsproxy.dev

The public cors-anywhere.herokuapp.com demo is rate-limited to ~50 requests per hour. Here's the drop-in migration path with code for vanilla fetch, Axios, and helper wrappers.

Migration · ~5 min read

Frequently asked questions

Logging policy, GDPR posture, authentication header forwarding, self-hosting options, and other things people email us about.

FAQ

One post a week, no marketing fluff.

Get new posts and glossary entries on CORS, web security, and proxy operations in your inbox. Unsubscribe in one click.