Free CORS proxy — 5 options compared in 2026
A practical look at the free CORS proxy services that are still actually running in 2026: where they cap you, what they cost above the cap, and whether you should trust them with the URLs you send through.
What "free CORS proxy" actually means
A CORS proxy forwards your browser's request to a third-party API and rewrites the response with the right Access-Control-Allow-Origin header. "Free" usually means one of three things:
- A demo instance with strict per-IP rate limits (cors-anywhere).
- An open service funded by ads or a parent product (allorigins, ThingProxy).
- A freemium SaaS with a free tier and paid tiers above it (corsproxy.io, corsproxy.dev).
The five options
1. cors-anywhere.herokuapp.com
The original. Open-source Node project by Rob--W. The demo instance now requires you to click a button on a different page before it'll proxy for you, and even then it's limited to ~50 requests/hour. Production use stopped being viable in 2021.
Best for: nostalgia. Worst for: anything you want to keep working.
Migration: see the dedicated guide.
2. api.allorigins.win
A volunteer-run open proxy that wraps the response in JSONP or returns it as JSON. No API key, no rate limits documented, but heavy use will get you blocked. The maintainer accepts donations.
Best for: quick demos and tutorials. Worst for: anything where the response shape matters — wrapping responses adds an extra layer your client has to parse.
3. ThingProxy by Freeboard
thingproxy.freeboard.io/fetch/<url>. Originally bundled with the Freeboard dashboard product. Still up but rate-limited to ~10 requests/sec per IP. Returns the upstream response verbatim, including the original status code. Reliable for occasional use, not for production.
4. corsproxy.io
A commercial managed proxy with a free tier. Path-style URL: corsproxy.io/?https://api.example.com/data. Free tier has a daily request cap; paid plans start around a few dollars/month. Has a usage dashboard.
Best for: teams who want a quick managed solution without thinking about it.
5. corsproxy.dev (us)
Disclosure: this is our service, on this site. Managed API with API keys, daily rate limits enforced atomically (Cloudflare Durable Objects, no burst overage), and a dashboard. Free tier is 100 requests/day, no credit card. Plus the underlying Go proxy is MIT-licensed and self-hostable — so when you outgrow the managed tier, you can move to your own infra without rewriting client code.
The comparison table
| Service | Free limit | API key | Self-host? | Status |
|---|---|---|---|---|
| cors-anywhere | ~50/hr (demo) | No | Yes | Demo only |
| allorigins | Unmetered (best effort) | No | No | Active |
| ThingProxy | ~10 req/sec | No | No | Active |
| corsproxy.io | Daily cap | Yes | No | Active |
| corsproxy.dev | 100/day | Yes | Yes (MIT) | Active |
What to actually watch for
"Free" is a feature, but so are the things that make a proxy not embarrassing to depend on:
- Does it block private-network targets? An open proxy that will fetch
http://169.254.169.254/is an SSRF bug waiting to be exploited. The proxy's hosting provider gets the blame; you get a side helping of legal letters. corsproxy.dev, corsproxy.io, and modern self-host configs all do this; older demos may not. - Does it forward
Authorizationheaders? If yes, anyone can use the proxy to call paid APIs with someone else's bearer token. Better proxies strip them. - Does it have rate limits per identity? Per-IP limits get crushed by NAT (one shared egress IP can be a whole company). Per-key limits are the right granularity.
- Will it be there next month? Volunteer-run proxies disappear regularly. Pick something with a business model that pays for hosting.
For the full security argument, see how a CORS proxy can be abused.
What we'd actually recommend
- You control the upstream. Don't use any proxy. Configure CORS on the upstream. It's correct and free.
- You're in dev and just need it to work. Use your build tool's proxy config. 5 ways covered here.
- You need a managed proxy in production. Pick one that has API keys, per-key rate limits, and a documented security stance. corsproxy.dev is our answer; corsproxy.io is the next closest.
- You can't send your data through anyone else. Self-host. Our Go binary is MIT; cors-anywhere is the other obvious open-source choice but is heavier (Node + lots of features).
Get 100 free requests/day
No credit card. Email-only sign-in. Self-host the same code later if you outgrow it.