Glossary

CORS proxy

/kɔːrz ˈprɒksi/

A CORS proxy is a small server-side intermediary that forwards a browser's request to an upstream API and returns the response with the right Access-Control-Allow-Origin header attached. From the browser's perspective the response now comes from an origin that allows it, so the CORS check passes.

What it actually does

  1. Receives a request like GET /proxy?url=https://api.example.com/data.
  2. Issues that request server-to-server (which doesn't trigger CORS — CORS is browser-only).
  3. Returns the upstream response, but with Access-Control-Allow-Origin: * (or a specific origin) added.

The browser sees a same-origin response from the proxy (allowed) instead of a cross-origin response from the upstream (potentially blocked).

When you'd use one

When you'd avoid one

The security gotchas

A naive open CORS proxy is a textbook SSRF tool: anyone can ask it to fetch http://169.254.169.254/latest/meta-data/ and read AWS credentials, or http://10.0.0.5/ and probe internal networks. Production-grade proxies block private-IP targets, refuse non-HTTP schemes, strip dangerous headers, and rate-limit by API key. See our security writeup for the full threat model.

Example

// Direct call — blocked by CORS
fetch('https://api.example.com/data')
  .then(r => r.json())
  // → TypeError: blocked by CORS policy

// Through a CORS proxy — works
fetch('https://api.corsproxy.dev/proxy?url=' +
      encodeURIComponent('https://api.example.com/data'), {
  headers: { 'X-API-Key': 'sk_live_...' }
})
  .then(r => r.json())
  // → { …actual data… }

See also

CORS SSRF Access-Control-Allow-Origin Blog · CORS proxy security Blog · Self-host vs managed