The honest deep-dive
Avoid in production
Public CORS proxies (cors-anywhere, allorigins, etc.)
Fine for a demo or a hackathon, dangerous for a product. They rate-limit aggressively, can disappear without notice, and your users' traffic transits a server you don't operate. cors-anywhere.herokuapp.com is now limited to roughly 50 requests/hour, by design.
When to use: a one-off prototype where the cost of breakage is zero.
Works, until it doesn't
A DIY Cloudflare Worker (or Lambda, or Fly app)
A 50-line Worker that adds CORS headers is the right call for one project at one company. The cost shows up later: when you need API keys, per-project quotas, abuse handling, observability, and a way to revoke access without a redeploy. Each one of those is a couple of days of work. Compounded across a team, it's the proxy infra you didn't want to own.
When to use: a single internal tool, never expected to grow.
Right answer for some teams
Your own backend (Express, Fastify, Lambda, etc.)
If you already have a backend service and the third-party call is part of a server-side workflow, just put it there. You get full control, full auth, no relay layer. The trap is using "we need a backend anyway" as the reason to spin up a service whose only job is to forward requests — that's where teams burn weeks reinventing a relay.
When to use: the backend already exists, or the integration needs server-side state (secrets, queues, retries).
Why we built it
corsproxy.dev
A managed relay aimed at the case the other three options handle badly: a frontend team shipping production browser integrations who doesn't want to own proxy infrastructure. You get per-key quotas, request logs, a dashboard, abuse controls, and SSRF protection on day one. If you later need full control, the same runtime is MIT-licensed on GitHub — start hosted, move to self-hosted, same wire protocol.
Create a free account · API docs
Status · GitHub