Abuse Prevention & Security
CORSPROXY is a proxy service — we do not host, store, or cache any files or content. We only temporarily transfer data between the client and the upstream server. No content persists on our infrastructure after a request completes.
You may find corsproxy.io URLs appearing alongside copyrighted content that users attempt to proxy. These requests are automatically detected and blocked by our systems before any data is transferred.
We take abuse seriously and enforce multiple layers of security controls to prevent misuse and maintain a safe, reliable service for legitimate developers.
< 24h
Abuse takedown
Strict
Rate limits
24/7
Automated blocking
1. Security Controls
Every request passes through multiple security layers before reaching the upstream target:
| Control | Description |
|---|---|
| SSRF blocking | Blocks requests to localhost, loopback, private IP ranges, .local domains, and cloud metadata endpoints (e.g. 169.254.169.254, metadata.google.internal). |
| Protocol restriction | Only http, https, ws, and wss are allowed. All other schemes are rejected. |
| Timeout protection | Upstream requests are aborted after 30 seconds to prevent resource exhaustion. |
| Header sanitization | Strips forwarding headers (x-forwarded-for, cf-*, x-real-ip) and sensitive response headers like set-cookie. |
| Cache safety | Skips caching when requests include Authorization or Cookie. POST caching restricted to application/json, text/plain, application/graphql. |
| Route-level control | Snippet rules restrict execution to explicit proxy URL patterns on the exact intended host — no arbitrary subpaths or subdomains. |
2. Access Control Layer
Tier-based restrictions enforce file size limits, content-type policies, and usage patterns per plan:
| Restriction | Free | Hobby | Business |
|---|---|---|---|
| Max file size | 1 MB | 1 MB | 1 GB |
| Content types | Text only | Text, images, PDF | Text, images, PDF |
Video (video/*) | Blocked | Blocked | By request |
| Allowed origins | Localhost / dev only | Any | Any |
| Server-side usage | Blocked | Blocked | Allowed |
Advanced params (extract, ttl, ...) | Blocked | Blocked | Allowed |
3. Content Blocklist
We maintain an extensive keyword blocklist that is continuously updated. Requests matching blocked patterns are rejected immediately. The blocklist covers streaming services, piracy-related terms, IPTV protocols, and other categories commonly associated with abuse.
4. Rate Limiting
All endpoints are subject to strict rate limits. Automated throttling prevents bulk abuse, scraping attempts, and resource exhaustion across the entire network.
5. Report Abuse
If you believe CORSPROXY is being used to access your content without authorization, contact us. We respond to every report and remove abusive content within 24 hours. As a proxy service, we do not store or host any content — blocking an abusive URL pattern takes effect immediately across our entire network.
Abuse reports
abuse@corsproxy.ioFor copyright-specific complaints, please see our DMCA Policy.