FAQ

Frequently asked questions

Quick answers to the questions that show up in our inbox.

Do you log my requests?

We log each proxy request for 30 days: the timestamp, upstream URL, response status, and the user_id / key_id that made it. Request and response bodies are not stored. After 30 days, Cloudflare KV's expirationTtl deletes them automatically. The data is visible to the account that made the request, and to the operations team for incident response.

Can I proxy authenticated endpoints?

Yes, but we never forward the browser's Authorization or Cookie headers to the upstream. If the upstream needs auth, include it explicitly in the request body or URL — that way you decide what the proxy sees.

Can I self-host instead?

Yes. The OSS Go binary at github.com/melihbirim/corsproxy implements the proxy core under MIT. It's a single ~10MB binary with zero external dependencies. The managed SaaS adds API keys, a dashboard, rate limits, and analytics on top of that core.

What's your uptime SLA?

The Free tier ships best-effort on Cloudflare Workers. Cloudflare's platform SLA is 99.99% for the Workers runtime; we don't make a public commitment on top of that for free accounts. Paid tiers include a contractual SLA — contact us for details.

Are you GDPR-compliant?

Yes. We store the minimum personal data (email, plus metadata for keys/usage), retain request logs for 30 days, and provide one-click data export plus full account deletion from the dashboard. The data lives in Cloudflare's global edge network — see the Privacy Policy for the data-transfer details.

What happens when I hit my daily limit?

Further requests return HTTP 429 with a Retry-After pointing at the next midnight UTC reset. We also send a one-shot email when you cross the limit so you know without checking the dashboard. Upgrade requests live on the Upgrade page.

Do you cache responses?

No. Every request is a fresh upstream fetch. Caching could leak data between accounts that happen to request similar URLs, so the proxy stays stateless.

Can I use this in production?

For development and prototypes, definitely. For production: it depends on your security posture. If your data is sensitive, the long-term answer is usually to add CORS headers on the upstream itself, or run our open-source binary inside your own perimeter. The managed API is fine for cases where a public proxy is acceptable — most public-data API integrations qualify.

Why not just configure CORS server-side?

You should, when you control the upstream. The proxy exists for the cases where you don't — third-party APIs, partner systems, legacy services. See our guide on CORS errors.

Didn't see your question?

Email contact@corsproxy.dev — we read everything.