Documentation
CORSPORXY Logo

Documentation → general

403 Forbidden

A 403 Forbidden response means the request was blocked either by CorsProxy policy/plan limits or by the upstream site.

First: confirm where the 403 comes from

  1. Request the target URL directly (without CorsProxy) from your own machine or server.
  2. Request it through CorsProxy.
  3. Compare status codes and response bodies.

If the target already returns 403 directly, CorsProxy cannot “fix” that. Many sites block datacenter IPs, bots, or certain user agents.

Examples of upstreams that commonly return 403 for proxied traffic include some finance/market APIs, certain RSS feeds, and sites with aggressive bot protection (for example, some users report this with Polymarket or specific news RSS endpoints).

Common CorsProxy-specific causes

  • Missing or invalid API key when a feature requires it.
  • Using plan-restricted parameters (for example: extract, input, output, ttl).
  • Requesting private or local network targets (for example: 127.0.0.1, 10.0.0.0/8, 192.168.0.0/16).

Fix checklist

  • Use the recommended ?url= format and encode the target with encodeURIComponent().
  • Remove optional parameters and re-test with the simplest URL.
  • If you are using premium features, include your API key.
  • If a specific upstream (for example an RSS feed or API) blocks proxied traffic, try a different upstream endpoint or fetch it from your own backend.