PSA: Public demo server (cors-anywhere.herokuapp.com) will be very limited by January 2021, 31st

[Rob--W]

The demo server of CORS Anywhere (cors-anywhere.herokuapp.com) is meant to be a demo of this project. But abuse has become so common that the platform where the demo is hosted (Heroku) has asked me to shut down the server, despite efforts to counter the abuse (rate limits in #45 and #164, and blocking other forms of requests). Downtime becomes increasingly frequent (e.g. recently #300, #299, #295, #294, #287) due to abuse and its popularity.

To counter this, I will make the following changes:

1. The rate limit will decrease from 200 (#164) per hour to 50 per hour.
2. By January 31st, 2021, cors-anywhere.herokuapp.com will stop serving as an open proxy.
3. From February 1st. 2021, cors-anywhere.herokuapp.com will only serve requests after the visitor has completed a challenge: The user (developer) must visit a page at cors-anywhere.herokuapp.com to temporarily unlock the demo for their browser. This allows developers to try out the functionality, to help with deciding on self-hosting or looking for alternatives.

What should current users of CORS Anywhere do in response to this announcement?

If possible, try to avoid the need for a proxy at all. CORS Anywhere works by combining proxy functionality with CORS. You may not need proxy functionality, if the web service that you are trying to access already supports CORS. This is the preferred solution because it is faster and more reliable. For development, you can also consider the use of browser extensions that automatically enables CORS for certain websites.

If your use of CORS Anywhere is infrequent, then the exception from step 3 above will allow you to continue as before. The only difference is that you need to explicitly opt in before access is temporarily allowed. If you'd like to not have these restrictions, then you should self-host CORS Anywhere.

For an example of self-hosting, see https://github.com/Rob--W/cors-anywhere#demo-server . There are also many questions and answers about hosting on the issue tracker here (https://github.com/Rob--W/cors-anywhere/issues). If you have questions, please search for existing issues first before opening a new issue.

[Rob--W]

As announced, the public demo has been restricted. If you are developing a new web application and want to try out CORS Anywhere, visit https://cors-anywhere.herokuapp.com/ and click on the "Request temporary access to the demo server" button, to temporarily restore the full functionality of CORS Anywhere for your client only.

[yunyuyuan]

@gitalk

[rizkhal]

i have message "You currently have temporary access to the demo server." but still not working

[Rob--W]

@rizkhal Please file a new issue if you encounter what you think is a bug, and include details / reproduction steps.

[chrisabrams]

@rizkhal Please file a new issue if you encounter what you think is a bug, and include details / reproduction steps.

Same issue. I go to /corsdemo and click on the button, then I try to make any request and still get a 403 forbidden.

[Rob--W]

@rizkhal Please file a new issue if you encounter what you think is a bug, and include details / reproduction steps.

Same issue. I go to /corsdemo and click on the button, then I try to make any request and still get a 403 forbidden.

Again: please file an issue with exact reproduction steps. 403 can also be the result of something else (e.g. it being the real reply). I cannot resolve the issue unless you share the steps/URL/code/commands to reproduce the issue.

[AlexyOd]

You currently have temporary access to the demo server., but not wirking

[Rob--W]

I have just published an update to the demo server to improve the detection of a "client". Previously, Heroku routers were mistakenly identified as the "client", with the fix the actual clients are identified instead.

[ajsingh007]

Thanks for the PSA, was wondering why I was getting errors lol. This service was super useful to me and I am able to run it locally for a personal project. Am experimenting with hosting it on my own server. Appreciate your work on this project!!

[isoaxe]

Hi Rob. Yesterday I requested temporary access via the button located at '/corsdemo'. This got my app working again, though today I had to go through the process again.

Is frequently re-requesting access the intended behaviour? For development purposes this is not an issue, but in production a user couldn't be expected to do this of course. I'm just using the app as a portfolio project by the way, with very little traffic.

[jumpjack]

So what should I do to host cors-anywhere on my server? Documentation is very far from being clear. Which folder structure should I create on my server? Which files from the .zip I downloaded from github should I copy to the server? Which address should I call from my script rather than "https://cors-anywhere.herokuapp.com" before the resource I need? Which files should I edit to apply my own restriction? Which kind of hosting service do I need? Shoud the server have any specific requirement, or will any hosting service work?

[heitorpacheco]

What can I do to use this in production? Is it just me to publish this project and use the url in front of my api?

[Rob--W]

@Isoaxe

Hi Rob. Yesterday I requested temporary access via the button located at '/corsdemo'. This got my app working again, though today I had to go through the process again.

Is frequently re-requesting access the intended behaviour?

This is intended. The announcement here and the page where you request access very clearly states that access is temporary. The public demo is identical to the source code in this repository, except with additional routing logic in front to verify that access is permitted. The access is regularly revoked (currently 1-2 times per day, sometimes more if the server is overloaded).

For development purposes this is not an issue, but in production a user couldn't be expected to do this of course. I'm just using the app as a portfolio project by the way, with very little traffic.

Previously, the demo server was open to everyone by default. Due to the abuse, the service was often slow or unavailable, which made it a bad service to rely on for portfolio sites. I have once received a request from a student to help them with recovering their grade after their application failed when the public demo was unavailable. These kinds of scenarios can only be avoided by very clearly making the demo opt-in.

For prototyping purposes (e.g. a demo project or an example on a portfolio), you could link to the /corsdemo page and ask visitors to click on the button, once, to opt in.

@jumpjack

So what should I do to host cors-anywhere on my server? Documentation is very far from being clear.

This project is a library that can be used to create a CORS proxy server. The project ships with a sample, server.js that uses the library with some default values. The top comment at this page links to "Demo server" in the README, which shows an example of starting the server (or even hosting it on Heroku). There are issues (questions & answers) on this issue tracker about hosting on other platforms.

I occasionally see people forking the project and removing requireHeaders+Origin, or allowing credentials (e.g. cookies). Do not commit the mistake of doing that, it is insecure. I have previously shared some comments about security at #152

Which folder structure should I create on my server? Which files from the .zip I downloaded from github should I copy to the server?

The relevant files are referenced at https://github.com/Rob--W/cors-anywhere/blob/528ad7109fa55bdde8055dd035bb16140a29c336/package.json#L23-L29 If you don't care about the unit tests, then lib/ and server.js can be copied. It may be easier to clone the repository and occasionally fetch new changes. The public demo runs off a fork of the master branch of this repository.

Which address should I call from my script rather than "https://cors-anywhere.herokuapp.com" before the resource I need?

The server address (scheme + host name + port) on which the CORS Anywhere proxy is running.

Which files should I edit to apply my own restriction?

See the "Demo server" documentation, or edit server.js to have custom logic if the sample doesn't fit your needs.

Which kind of hosting service do I need? Shoud the server have any specific requirement, or will any hosting service work?

The hosting platform needs to be able to run Node.js.

@heitorpacheco

What can I do to use this in production? Is it just me to publish this project and use the url in front of my api?

If you want to operate an open proxy, then yes. If you want to apply restrictions, see my other remarks in this comment.

[isoaxe]

Thanks for getting back to me. I'll give self hosting a go and and if I can't manage it just redirect to the corsdemo page as you suggest.

[ntotao]

Thanks for the hard work you have put in this, really remarkable job, I've mounted now a self-hosting instance, but really appreciated your openness before the headsup to close the service! much <3

[Corey-Wademan]

Hey Rob, thank you very much for all your documentation and updates. I was using cors-anywhere in my fetch api directing towards the Yelp Fusion API, and querying results into a personal project app on my portfolio. I'm doing everything strictly on the Front End (don't know how to do this on the backend yet), is there any other options you could recommend to solve this issue around the No 'Access-Control-Allow-Origin' header? Thanks again

[Rob--W]

@Corey-Wademan

I was using cors-anywhere in my fetch api directing towards the Yelp Fusion API, and querying results into a personal project app on my portfolio. I'm doing everything strictly on the Front End (don't know how to do this on the backend yet), is there any other options you could recommend to solve this issue around the No 'Access-Control-Allow-Origin' header?

The best solution is to ask your API service provider to support CORS. There appears to be a pending feature request, without recent activity though: https://github.com/Yelp/yelp-fusion/issues/64 If that is not an option, then you have to make the request from a backend, either by building that backend yourself, or by self-hosting CORS Anywhere. The first comment here refers to the README for deploying CORS Anywhere to Heroku, and there are other issues on this issue tracker with instructions for other platforms.

PS. To everyone who is considering to post a new comment here - Please file a new issue if you have questions that are unrelated to the announcement here. This issue should only be used for comments related to the announcement.

[samneng]

I have found a useful replacement https://cors.bridged.cc/ See detail

[leboceb]

Hi guys any idea what we can use beside the above

Thanks

[isoaxe]

@Corey-Wademan If you're still looking for a solution to this problem, you can follow the steps in this readme.

[amirahefiene]

Hello i used this solution on dynamics crm 365 ,for this issue any update for the managed solution ? thanks

[samber]

Hi there,

I see some of you are looking for a replacement to cors-anywhere.

Don't waste your time searching for a better tool: just deploy your own instance to Heroku (free dyno).

It takes 5 minutes. 10 minutes if you need to create a Heroku account 😊

[yunyuyuan]

Hi there,

I see some of you are looking for a replacement to cors-anywhere.

Don't waste your time searching for a better tool: just deploy your own instance to Heroku (free dyno).

It takes 5 minutes. 10 minutes if you need to create a Heroku account

It can work,but not good. They will stop your app when nobody visit your app for a while.Then the next visit will be very slow

[lestgabo]

thanks for your service

[trentwiles]

Well, you just broke the internet 😆

[LincCodes]

Hey, I have forked the project and hosted it on heroku. but it's giving me a 403 status code. I hav read (red) the documentation. Did a few changes but it's not working, please help....

By the way, thank you for this project!!!!

[Rob--W]

@LincCodes The only way to get 403 on a clean fork of CORS Anywhere is when you've configured restrictions for what origins are allowed access (e.g. via the CORSANYWHERE_BLACKLIST or CORSANYWHERE_WHITELIST environment variables, if you use the server.js from the project). Make sure to use the correct syntax; if you need a refresher on what an Origin is, see https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#definition_of_an_origin

[LincCodes]

@LincCodes The only way to get 403 on a clean fork of CORS Anywhere is when you've configured restrictions for what origins are allowed access (e.g. via the CORSANYWHERE_BLACKLIST or CORSANYWHERE_WHITELIST environment variables, if you use the server.js from the project). Make sure to use the correct syntax; if you need a refresher on what an Origin is, see https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#definition_of_an_origin

Hey Rob, I am trying to understand this but I am not that familiar with node. I mostly use frameworks. Can you please (when you are free), just write a full documentation or text on how to upload after cloning this repository. Please that would be appreciated greatly.

[Rob--W]

@LincCodes Please do not post multiple comments on this issue asking for support; open a new issue instead, but not before reading existing documentation (including existing issues, or references to external documentation, such as documentation on Heroku). This issue is meant as an announcement, and is kept open so that affected users can communicate with each other.

I've deleted two of your comments (a Thank you message plus your request for documentation).

[isoaxe]

@LincCodes If you're still having issues, just follow the instructions here.

[Harshita2996]

https://cors.bridged.cc/

Not working for me.

[Harshita2996]

@Corey-Wademan If you're still looking for a solution to this problem, you can follow the steps in this readme. I used this, its giving me 403 forbidden. I've provided the url in array in server.js still getting 403 forbidden.

[drajhari4418]

clicking on link message get appears:- i have message "You currently have temporary access to the demo server." but still not working:( And when i open the link for the next time, Message that get appears is:- "This API enables cross-origin requests to anywhere.

Usage:

/ Shows help /iscorsneeded This is the only resource on this host which is served without CORS headers. / Create a request to , and includes CORS headers in the response.

If the protocol is omitted, it defaults to http (https if port 443 is specified).

Cookies are disabled and stripped from requests.

Redirects are automatically followed. For debugging purposes, each followed redirect results in the addition of a X-CORS-Redirect-n header, where n starts at 1. These headers are not accessible by the XMLHttpRequest API. After 5 redirects, redirects are not followed any more. The redirect response is sent back to the browser, which can choose to follow the redirect (handled automatically by the browser).

The requested URL is available in the X-Request-URL response header. The final URL, after following all redirects, is available in the X-Final-URL response header.

To prevent the use of the proxy for casual browsing, the API requires either the Origin or the X-Requested-With header to be set. To avoid unnecessary preflight (OPTIONS) requests, it's recommended to not manually set these headers in your code.

Demo : https://robwu.nl/cors-anywhere.html Source code : https://github.com/Rob--W/cors-anywhere/ Documentation : https://github.com/Rob--W/cors-anywhere/#documentation"

[james-work-account]

How long is "temporarily"? Minutes? Hours? Days?

[Rob--W]

How long is "temporarily"? Minutes? Hours? Days?

The temporary exception is stored in memory. The exceptions are currently cleared once a day, or sooner if the application is restarted. The exceptions last at most 27.5 hours due to Heroku's automatic dyno restart policies that's documented at https://devcenter.heroku.com/articles/dynos#automatic-dyno-restarts

[leehsihau]

Bruh you can't believe how many people you have helped. SALUTE

[cseiter]

Just wanted to say thanks for this page/app. I'm in a software development course and about 95% of the FETCH statements for my labs work without it, but a few need it for me for some reason.

[karlo-babic1]

Hi dear friend, I'm trying to learn Ajax with Vanilla Javascript. I got a problem with CORS ( from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, https, ipns, chrome-untrusted, ipfs, data, chrome, chrome-extension. ), and I fixed it with

     https://cors-anywhere.herokuapp.com/sample.txt (sample.txt is my file).

Then I got error which says that I should visit https://cors-anywhere.herokuapp.com/corsdemo and then enable demo server by clicking on the button, and I did. (NOTE: I've been trying to make this work with : XAMPP (CrosPlatform Apache PHP Perl server, as guide used it, and also mentioned that we can do this with LIVE SERVER from VS Code, so I did that too. ))

And now, after enabling DEMO SERVER I am getting error for not found page it says this: 404 (Invalid host)

Here is code:

(Javascript)

document.getElementById('button').addEventListener('click', loadText);

function loadText(){
    let xhr = new XMLHttpRequest();
    xhr.open('GET', 'https://cors-anywhere.herokuapp.com/sample.txt', true);

    xhr.onload = function(){
        if(this.status == 200){
            //console.log(this.responseText);
           // It SHOULD display text on the screen NO matter have you consol.loged it,  there is     xhr.send   function(I tried both, nothing works)
        }
    };    

    xhr.send();

};

(HTML)

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Ajax 1 - Text File</title>
</head>
<body>
    <button id="button">Get Text from File</button>

    <script src="main.js"></script>
</body>
</html>

(SAMPLE TEXT just lorem)

Lorem ipsum dolor, sit amet consectetur adipisicing elit. Consequuntur nisi modi fuga voluptatibus expedita, eius deleniti quisquam quo, at ducimus ipsam quis nobis veniam eveniet dolore aliquam repudiandae, totam explicabo sint eos tempora facilis qui. Asperiores fugiat voluptate nemo laborum. Iste ducimus sapiente ipsam! Culpa, animi? Optio esse perferendis velit!

I hope I gave clear explanation 😄

Thank you in Advance

[karlo-babic1]

I got error which says that I should visit https://cors-anywhere.herokuapp.com/corsdemo and then enable demo server by clicking on the button, and I did. (NOTE: I've been trying to make this work with : XAMPP (CrosPlatform Apache PHP Perl server, as guide used it, and he also mentioned that we can do this with LIVE SERVER from VS Code, so I did that too. )

And now, after enabling both (XAMPP / LIVER SERVER and DEMO SERVER) I am getting error for not found page, it says this: 404 (Invalid host)

Here is my code:

(Javascript)

document.getElementById('button').addEventListener('click', loadText);

function loadText(){
    let xhr = new XMLHttpRequest();
    xhr.open('GET', 'https://cors-anywhere.herokuapp.com/sample.txt', true);

    xhr.onload = function(){
        if(this.status == 200){
            //console.log(this.responseText);
           // It SHOULD display text on the screen NO matter have you consol.loged it,  there is     xhr.send   function(I tried both, nothing works)
        }
    };    

    xhr.send();

};

[leboceb]

Are you trying to do a post

On Tue, 27 Apr 2021 at 13:20, karlo-babic1 @.***> wrote:

I got error which says that I should visit https://cors-anywhere.herokuapp.com/corsdemo and then enable demo server by clicking on the button, and I did. (NOTE: I've been trying to make this work with : XAMPP (CrosPlatform Apache PHP Perl server, as guide used it, and also mentioned that we can do this with LIVE SERVER from VS Code, so I did that too. ))

And now, after enabling DEMO SERVER I am getting error for not found page it says this: 404 (Invalid host)

Here is code:

(Javascript)

document.getElementById('button').addEventListener('click', loadText);

function loadText(){ let xhr = new XMLHttpRequest(); xhr.open('GET', 'https://cors-anywhere.herokuapp.com/sample.txt', true);

xhr.onload = function(){
    if(this.status == 200){
        //console.log(this.responseText);
       // It SHOULD display text on the screen NO matter have you consol.loged it,  there is     xhr.send   function(I tried both, nothing works)
    }
};

xhr.send();

};

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Rob--W/cors-anywhere/issues/301#issuecomment-827530208, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN3GQLH74Q7Q2EPIX2KH7DLTK2MYLANCNFSM4UYC5RLA .

-- [image: photo] Lebogang CEO, softtechz

0603579008 | 0603579008 | @.***

https://softtechz.co.za Number 4 dalmada pretoria Create your own email signature https://www.wisestamp.com/create-own-signature/?utm_source=promotion&utm_medium=signature&utm_campaign=create_your_own&srcid=

[Rob--W]

@karlo-babic1 Please do not post off-topic comments here. Open a new issue instead.

I am getting error for not found page, it says this: 404 (Invalid host)

    xhr.open('GET', 'https://cors-anywhere.herokuapp.com/sample.txt', true);

Your code sample is incorrect, The format is https://cors-anywhere.herokuapp.com/[url], and in your case [url] is sample.txt, i.e. http://sample.txt/. That's obviously not correct. Your issue is most likely not related to CORS Anywhere, in fact it seems that you need to correctly configure your server instead of introducing CORS Anywhere.

[karlo-babic1]

@Rob--W @leboceb thanks for trying to help

[ra1nbow1]

What is the permanent link instead of https://cors-anywhere.herokuapp.com/ ?

[Rob--W]

What is the permanent link instead of https://cors-anywhere.herokuapp.com/ ?

If you're asking for an "official" domain: this is the "official" domain of the demo server.

[ra1nbow1]

What is the permanent link instead of https://cors-anywhere.herokuapp.com/ ?

If you're asking for an "official" domain: this is the "official" domain of the demo server.

I mean how to use it without the need to extend the time. Without clicking 'Request temporarily access'

[isoaxe]

You need to create and host your own server.

[Rob--W]

What is the permanent link instead of https://cors-anywhere.herokuapp.com/ ?

If you're asking for an "official" domain: this is the "official" domain of the demo server.

I mean how to use it without the need to extend the time. Without clicking 'Request temporarily access'

Instructions to set up your own instance are available at https://github.com/Rob--W/cors-anywhere#demo-server

[ra1nbow1]

What is the permanent link instead of https://cors-anywhere.herokuapp.com/ ?

If you're asking for an "official" domain: this is the "official" domain of the demo server.

I mean how to use it without the need to extend the time. Without clicking 'Request temporarily access'

Instructions to set up your own instance are available at https://github.com/Rob--W/cors-anywhere#demo-server

Thanks

[tech-doctor]

@Corey-Wademan If you're still looking for a solution to this problem, you can follow the steps in this readme.

Thanks @Isoaxe , this works perfectly for me

[softmarshmallow]

Hi Cors Anywhere users. I've made a free unlimited version of cors-anywhere (It's exactly the same thing, backed by Grida so it can run at full speed with least limitations)

Here's more information in this blog.

Quick usage -> https://cors.sh/playground

https://proxy.cors.sh/https://your-server.com

Hope this helps with your development ! :)