Article Timeline

What Are CORS Proxies and Are They Safe?

Reading time: 7 min read
Harsha Kiran
Written by
Harsha Kiran

Updated · Jul 28, 2023

Harsha Kiran
Founder | Joined March 2023 | LinkedIn
Harsha Kiran

Harsha Kiran is the founder and innovator of Techjury.net. He started it as a personal passion proje... | See full bio

Also contributed:
Florence Desiata
Edited by
Florence Desiata

Editor

Florence Desiata
Joined June 2023 | LinkedIn
Florence Desiata

Florence is a dedicated wordsmith on a mission to make technology-related topics easy-to-understand.... | See full bio

Also contributed:
Techjury is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more.
x
Advertiser Disclosure

This page may contain links to our partners’ products and services, which allows us to keep our website sustainable. Тechjury.net may receive a compensation when you sign up and / or purchase a product or a service using our links. As an Amazon Associate we earn commissions from qualified purchases. This comes at no extra cost to you. On the contrary, these partnerships often allow us to give you discounts and lower prices. However, all opinions expressed on our site are solely ours, and this content is in no way provided or influenced by any of our partners.

A CORS error is one of the most common website development issues where users see broken images, video players not showing, or website functions not working.

These errors happen when a server hosting the requested content refuses a CORS request based on its configuration. 

Proxy servers, specifically CORS proxies, can resolve this but with a few caveats.

Continue reading to learn more about CORS proxies and the risks associated with their use. 

Key Takeaways

  • CORS proxies help resolve CORS errors by acting as middlemen between the client's browser and the server hosting the content.
  • Risks associated with CORS proxies include security issues, potential cookie leakage, and the possibility of server-side request forgery (SSRF).
  • Use trusted paid CORS proxy providers or set up your proxy server to mitigate security risks.
  • Implementing whitelisting origin requests can help prevent SSRF attacks by restricting proxy responses to safe listed targets.

What is CORS?

Before diving into CORS proxies, it is crucial to understand what CORS is and how it works.

CORS, or Cross Origin Resource Sharing, is a mechanism used to request content hosted on a server of a different origin. 

To give you some clarity, here are some CORS examples.

  • An image used in a website but is hosted on another website or server
  • JS scripts or JSON hosted in another server or sub-domain

CORS mechanism is usually adapted as a flexible solution since most web browsers implement the same-origin policy for end-user safety. 

With the Same-Origin policy, websites can only source content if it comes from the same domain, port number, and security protocol. This is not always the case, so CORS comes into the picture. 

To gain a better understanding of what CORS is, check out the video below: 


🎥YouTube Video: CORS in 100 Seconds (00:00-01:11)

To overcome errors due to denied requests, the host server must change its CORS configuration or use a CORS proxy.

What is CORS Proxy and How It Works

📖Definition

A CORS proxy acts as a middleman between the requesting client or browser and the server hosting the desired content. CORS proxies are created to overcome CORS errors.

Based on the example given above, here’s how a CORS proxy will work:

  1. The browser will send the request to the CORS proxy server.
  2. The CORS proxy will then forward the request to example2.com.
  3. The host of example2.com sends the response to the CORS proxy.
  4. CORS proxy will forward the response to the browser client with proper headers.
  5. The browser will approve and render the content.

It may look easy, but there are security risks involved in using CORS proxies. These risks will be discussed in the next section.

Risks Of Using CORS Proxies

Here are the risks involving the use of CORS proxies and how they can be handled:

CORS Proxies Know It All

CORS proxies can do anything with the traffic that passes through them. 

Sending traffic to a CORS proxy means that you absolutely trust the proxy. It can read all the data you pass through, with almost no exception.

Free proxies are dangerous, let alone free CORS proxies

For example, if your site is set up to get JavaScript content from a different origin, you also allow the CORS proxy to run any JS script.

Letting other people take control of your site’s functions can be terrifying. It is better to create your own proxy server for CORS or rely on a trusted paid provider is better.

Pro-tip: Always do a thorough check before choosing a proxy provider, even if you’re planning to use paid ones. This ensures better security and minimizes the associated risks.

Cookies May Leak To Unintended Destination

Responses from the requested servers may include cookies. Browsers may be unable to differentiate their intended use as they only interact with the CORS proxy server. 

Let’s say example.com need to source content from example2.com

The browser sends a request to the CORS proxy server, and the response indicates a “set-cookie” header. The cookie intended for example2.com is saved on the browser.

On another site section, example.com need to source content from example3.com

The browser sends a request to the CORS proxy but includes the cookies intended for example2.com. It only interacts with the CORS proxy, so it does not know the difference. 

It all comes down to how much you trust the proxy server and the servers hosting the content you need.

If you have control of the CORS proxy server, it might be better to remove cookie headers altogether. The same is true for allowing the transfer of credentials.

Pro-tip: To avoid the risk of cookies being sent to unintended destinations, you should consider removing cookie headers and assess the reliability of the proxy and content-hosting servers.

Server-Side Request Forgery

If you decide to host an internal CORS proxy, there is a danger that your internal network will be exposed to outside users. 

This attack is also known as server-side request forgery (SSRF). This can be done by sending a request through the proxy to access internal resources.

A user can set the destination to 127.0.0.1 or localhost to command the proxy to look back at its network. 

This attack can potentially acquire admin interface access or obtain sensitive information.

Pro-tip: Whitelisting origin requests can help avoid this. By allowing requests from trusted sources only, you can reduce the risk of unauthorized access to sensitive internal resources.

Best CORS Proxies You Can Use

While there are risks to using CORS proxies, there are also ways to mitigate them. 

As long as they are used cautiously, CORS proxies have the potential to be a long-term solution to CORS errors.

With that in mind, here is a list of CORS proxies that you can employ:

Cloudflare

Price:

  • Free Plan – 100,000 requests per day
  • $5/month – 10 million requests per month

Key Features:

  • Content Caching
  • CDN benefits
  • Free plan

Cloudflare is one of the leading CDNs in the world. What makes it popular is its free plan with no time limit. 

Its CORS proxy works through the Cloudflare Workers. One of its remarkable features is content caching. It makes the proxy ready for delivery for the subsequent request of the same header. 

Keep in mind that you have to pay to extend the features and increase the number of requests. 

However, it is guaranteed to be worth the money—given that CloudFlare is a trusted brand that supports over 27 million websites worldwide.

CORS Anywhere

Price: FREE

Key Features:

  • Open-source
  • Local proxy creation

CORS Anywhere is a viral open-source module for Node.js. 

It lets you run a proxy server for CORS locally. This will bypass the CORS limitation imposed by the browser since CORS is a policy from the browser.

This tool will reroute the request to the local proxy. The proxy will fetch the data from the target origin, then pass it to the browser with proper headers.

CORS Anywhere is a free tool attractive to developers and website owners. The downside is you will always have to run Node.js to keep it working.

CORS.SH

Price: $4/month – 500,000 requests per month

Key Features:

  • 500GB bandwidth
  • Unlimited projects
  • No hourly limit
  • Maximum 6 MB per request

Another paid CORS proxy service is CORS.SH. The code here is based on CORS Anywhere but with an added playground. 

The basic plan can support up to 500,000 requests per month with no hourly limit.

CORS.SH will save you from running Node.js all the time to keep the proxy working. 

However, you should remember the basic CORS proxy precautions when using someone else’s CORS proxy.

Conclusion

CORS proxies have some serious safety issues, but taking the necessary precautions can be a reliable solution for overcoming CORS errors.

Some CORS proxies are limited to test use and not production. You should keep an eye on the use-case recommendations on any CORS proxy you can find.

FAQs.

What happens when you enable CORS?

This means you are allowing HTTP requests to source content from your server. You can whitelist the domains that send you these requests, so there should be no problem.

What issues does CORS prevent?

CORS prevents arbitrary and unrestrained requests to any website’s or server’s resources. It considers the existence of requests from malicious scripts that aim to steal sensitive data.

What is the impact of CORS vulnerability?

If CORS is poorly configured, servers may respond to almost any request and leak sensitive data.

SHARE:

Facebook LinkedIn Twitter
Leave your comment

Your email address will not be published.


You may also be interested in.