Cors API

Product

A complete control plane for browser-safe API traffic

Self-hosted CORS proxy with allowlists, quotas, API keys, observability, and team governance — so your frontends can call third-party APIs without turning your network into an open relay.

Create accountRead the guide
Technical blogHome

Why teams use CorsAPI for cross-origin API access

Modern web apps constantly call payment, identity, analytics, and partner APIs. Browsers enforce the same-origin policy and CORS; misconfiguration shows up as silent failures in production. CorsAPI centralizes CORS rules, allowed upstream hosts and paths, and per-project rate limits so your product teams can ship faster without patching every upstream service.

You keep data in your own infrastructure. The dashboard is where you create projects, list browser origins, define which DNS names and URL prefixes may be reached, and issue API keys. Traffic is attributed to a project key, so you can rotate credentials, read usage, and spot spikes before they become outages.

Whether you run a single-page app, a mobile app with a WebView, or server-side workers that call the same proxy, the same policy model applies: explicit allowlists, quotas, and analytics — not a generic open proxy.

Free tier at a glance

Numbers below reflect the active limits for new workspaces on this deployment. Use them when sizing staging and production projects.

5

Projects per account

Separate workspaces for staging, production, or product lines.

120

Requests per minute (ceiling)

Per-project cap you can tune within the free-tier ceiling.

20

Browser origins per project

Localhost ports, preview URLs, and production domains.

Built for real delivery workflows

From local development to production rollouts — the same policy primitives apply.

Frontend teams shipping SPAs

List every origin you need in development and production, then tighten hosts and paths as integrations stabilize. The proxy tester in the dashboard reproduces the same CORS and policy behavior your users see.

  • Origin list covers localhost and preview deployments
  • Host and path rules prevent accidental wide-open calls
  • Quota headers help you throttle before hard errors

Platform & SRE operators

Health routes support readiness probes; daily usage and error rates highlight regressions. p95 latency samples alongside volume help you distinguish upstream slowness from client-side issues.

  • Health endpoints for liveness and readiness checks
  • Daily rollups for requests, errors, and latency
  • Per-project keys for clear ownership and rotation

Security-conscious organizations

Method allowlists, body size limits, header filtering, and optional hardening response headers reduce leakage and abuse. Organizations and roles keep governance aligned as teams grow.

  • Policy per project, not per ad-hoc server patch
  • Header filtering and IP controls where you enable them
  • Export and deletion workflows for privacy programs

Proxy & gateway

CORS, allowlists, and quotas — the traffic that leaves your browser or server passes through rules you define.

  • CORS & OPTIONS preflight

    Define browser origins per line; the proxy emits CORS responses that match your project policy — no ad-hoc patches on upstream services.

  • Host & path allowlists

    Only your approved upstream hosts and path prefixes are reachable. Not an open relay — traffic is constrained to rules you configure.

  • API keys per project

    Issue and revoke keys with prefixes; send X-CorsAPI-Key or Authorization: Bearer from browsers or servers within your free-tier limits.

  • Per-minute quotas & headers

    Set a configurable requests-per-minute cap per project; successful responses can include quota hints (e.g. X-RateLimit-* style headers).

Observability

See volume, errors, and latency in one place — before users open a ticket.

  • Daily usage & errors

    Per-project daily rollups: request counts, 4xx/5xx breakdowns, and latency aggregates — so you see trends before users do.

  • p95 latency samples

    Track upstream slowness with percentile latency samples alongside volume — useful for SLOs and regressions.

  • In-dashboard proxy tester

    Send test requests through the proxy from the browser with method, URL, extra headers, and optional body — your CORS and policy rules apply.

Security & policy

Tighten what methods, headers, and bodies can flow through the proxy for each project.

  • Per-project security policy

    HTTP method allowlists, max body size, client IP allowlists, strip or block headers, upstream HTTPS expectations, timeouts, and redirect limits.

  • Header filtering

    Control which request headers reach upstream and which response headers return to the client — reduce cookie leakage and fingerprinting.

  • Optional security response headers

    Toggle common hardening headers on responses from the proxy to improve browser-side safety for your frontends.

Platform & compliance

Accounts, teams, machine-readable API descriptions, and privacy-friendly operations.

  • Organizations & roles

    Collaborate with teams: workspaces, projects, and roles (owner, admin, member) for shared governance.

  • Accounts & email verification

    Sign-up with SMTP-backed verification where configured; password flows and session cookies for the dashboard.

  • OpenAPI & health endpoints

    Machine-readable API descriptions for integrations; interactive docs when your deployment exposes them. Health routes such as /health/live and /health/ready for probes and deploys.

  • Documented free-tier limits

    Public GET /api/plan/limits returns active caps for projects, origins, keys, and quota — ideal for dashboards and post-deploy checks.

  • Data export & account deletion

    Settings support export and account deletion workflows — important for GDPR-style and KVKK-aligned processes when you self-host data.

How CorsAPI fits into your architecture

CorsAPI is not a generic HTTP tunnel. It is a policy-enforced proxy that sits between your clients and approved third-party APIs, with identity and quotas per project.

Browser clients send an Origin header; the proxy must allow that origin for the request to succeed. Server-side clients skip CORS but still must send a valid project key and obey host and path rules — so the same project can serve both public frontends and private workers without duplicating upstream configuration.

Quotas are enforced per minute per project key. That protects shared infrastructure and gives you a predictable lever when a partner API changes rate limits or when a release misbehaves. Response headers often include quota hints so well-behaved clients can back off before receiving HTTP 429.

For compliance, you control where the service runs and who can access the dashboard. OpenAPI and health endpoints help you automate verification; export and deletion workflows support data-subject processes when you operate on your own infrastructure.

Frequently asked questions

Is CorsAPI an open HTTP proxy?+

No. Only upstream hosts and path prefixes you allow in a project can be reached. Requests must include a valid project API key and pass CORS and policy checks. That design prevents anonymous relay abuse.

Can I use the same project from browser and server?+

Yes. Browser calls must send an allowed Origin; server calls typically omit Origin but still send the key. Many teams use separate keys for client-side and server-side traffic so rotation and quotas stay clear.

How do quotas work?+

Each project has a per-minute request budget. Successful responses may include quota hints so clients can slow down. When the budget is exhausted, the service returns HTTP 429 until the window resets.

What observability do I get?+

Per-project daily summaries include request counts, error breakdowns, and latency aggregates including p95 samples. Use them for SLOs and to spot regressions after deploys or vendor changes.

What about security hardening?+

You can configure method allowlists, body size limits, header filtering, and optional hardening response headers per project. Combine with IP allowlists when your threat model requires it.

Where can I read more?+

Start with the usage guide in the documentation, then explore the blog for CORS and gateway topics. The API reference describes proxy parameters and auxiliary routes for your deployment.

Ready to try CorsAPI on your stack?

Create a free account, configure your first project, and run a test request from the dashboard in minutes.

Create accountRead the guide