Comparison

Free CORS proxy — 5 options compared in 2026

A practical look at the free CORS proxy services that are still actually running in 2026: where they cap you, what they cost above the cap, and whether you should trust them with the URLs you send through.

~6 min read · Updated 2026

What "free CORS proxy" actually means

A CORS proxy forwards your browser's request to a third-party API and rewrites the response with the right Access-Control-Allow-Origin header. "Free" usually means one of three things:

The five options

1. cors-anywhere.herokuapp.com

The original. Open-source Node project by Rob--W. The demo instance now requires you to click a button on a different page before it'll proxy for you, and even then it's limited to ~50 requests/hour. Production use stopped being viable in 2021.

Best for: nostalgia. Worst for: anything you want to keep working.

Migration: see the dedicated guide.

2. api.allorigins.win

A volunteer-run open proxy that wraps the response in JSONP or returns it as JSON. No API key, no rate limits documented, but heavy use will get you blocked. The maintainer accepts donations.

Best for: quick demos and tutorials. Worst for: anything where the response shape matters — wrapping responses adds an extra layer your client has to parse.

3. ThingProxy by Freeboard

thingproxy.freeboard.io/fetch/<url>. Originally bundled with the Freeboard dashboard product. Still up but rate-limited to ~10 requests/sec per IP. Returns the upstream response verbatim, including the original status code. Reliable for occasional use, not for production.

4. corsproxy.io

A commercial managed proxy with a free tier. Path-style URL: corsproxy.io/?https://api.example.com/data. Free tier has a daily request cap; paid plans start around a few dollars/month. Has a usage dashboard.

Best for: teams who want a quick managed solution without thinking about it.

5. corsproxy.dev (us)

Disclosure: this is our service, on this site. Managed API with API keys, daily rate limits enforced atomically (Cloudflare Durable Objects, no burst overage), and a dashboard. Free tier is 100 requests/day, no credit card. Plus the underlying Go proxy is MIT-licensed and self-hostable — so when you outgrow the managed tier, you can move to your own infra without rewriting client code.

The comparison table

Service Free limit API key Self-host? Status
cors-anywhere~50/hr (demo)NoYesDemo only
alloriginsUnmetered (best effort)NoNoActive
ThingProxy~10 req/secNoNoActive
corsproxy.ioDaily capYesNoActive
corsproxy.dev100/dayYesYes (MIT)Active

What to actually watch for

"Free" is a feature, but so are the things that make a proxy not embarrassing to depend on:

For the full security argument, see how a CORS proxy can be abused.

What we'd actually recommend

  1. You control the upstream. Don't use any proxy. Configure CORS on the upstream. It's correct and free.
  2. You're in dev and just need it to work. Use your build tool's proxy config. 5 ways covered here.
  3. You need a managed proxy in production. Pick one that has API keys, per-key rate limits, and a documented security stance. corsproxy.dev is our answer; corsproxy.io is the next closest.
  4. You can't send your data through anyone else. Self-host. Our Go binary is MIT; cors-anywhere is the other obvious open-source choice but is heavier (Node + lots of features).

Get 100 free requests/day

No credit card. Email-only sign-in. Self-host the same code later if you outgrow it.

Create a free account →