PSA: Public demo server (cors-anywhere.herokuapp.com) will be very limited by January 2021, 31st

[Rob--W]

The demo server of CORS Anywhere (cors-anywhere.herokuapp.com) is meant to be a demo of this project. But abuse has become so common that the platform where the demo is hosted (Heroku) has asked me to shut down the server, despite efforts to counter the abuse (rate limits in #45 and #164, and blocking other forms of requests). Downtime becomes increasingly frequent (e.g. recently #300, #299, #295, #294, #287) due to abuse and its popularity.

To counter this, I will make the following changes:

1. The rate limit will decrease from 200 (PSA: Countermeasures to abuse #164) per hour to 50 per hour.
2. By January 31st, 2021, cors-anywhere.herokuapp.com will stop serving as an open proxy.
3. From February 1st. 2021, cors-anywhere.herokuapp.com will only serve requests after the visitor has completed a challenge: The user (developer) must visit a page at cors-anywhere.herokuapp.com to temporarily unlock the demo for their browser. This allows developers to try out the functionality, to help with deciding on self-hosting or looking for alternatives.

What should current users of CORS Anywhere do in response to this announcement?

If possible, try to avoid the need for a proxy at all. CORS Anywhere works by combining proxy functionality with CORS. You may not need proxy functionality, if the web service that you are trying to access already supports CORS. This is the preferred solution because it is faster and more reliable. For development, you can also consider the use of browser extensions that automatically enables CORS for certain websites.

If your use of CORS Anywhere is infrequent, then the exception from step 3 above will allow you to continue as before. The only difference is that you need to explicitly opt in before access is temporarily allowed. If you'd like to not have these restrictions, then you should self-host CORS Anywhere.

For an example of self-hosting, see https://github.com/Rob--W/cors-anywhere#demo-server . There are also many questions and answers about hosting on the issue tracker here (https://github.com/Rob--W/cors-anywhere/issues). If you have questions, please search for existing issues first before opening a new issue.

[Rob--W]

As announced, the public demo has been restricted. If you are developing a new web application and want to try out CORS Anywhere, visit https://cors-anywhere.herokuapp.com/ and click on the "Request temporary access to the demo server" button, to temporarily restore the full functionality of CORS Anywhere for your client only.

[yunyuyuan]

@gitalk

[rizkhal]

i have message "You currently have temporary access to the demo server." but still not working

[Rob--W]

@rizkhal Please file a new issue if you encounter what you think is a bug, and include details / reproduction steps.

[chrisabrams]

@rizkhal Please file a new issue if you encounter what you think is a bug, and include details / reproduction steps.

Same issue. I go to /corsdemo and click on the button, then I try to make any request and still get a 403 forbidden.

[Rob--W]

@rizkhal Please file a new issue if you encounter what you think is a bug, and include details / reproduction steps.

Same issue. I go to /corsdemo and click on the button, then I try to make any request and still get a 403 forbidden.

Again: please file an issue with exact reproduction steps. 403 can also be the result of something else (e.g. it being the real reply). I cannot resolve the issue unless you share the steps/URL/code/commands to reproduce the issue.

[AlexyOd]

You currently have temporary access to the demo server., but not wirking

[Rob--W]

I have just published an update to the demo server to improve the detection of a "client". Previously, Heroku routers were mistakenly identified as the "client", with the fix the actual clients are identified instead.

[ajsingh007]

Thanks for the PSA, was wondering why I was getting errors lol. This service was super useful to me and I am able to run it locally for a personal project. Am experimenting with hosting it on my own server. Appreciate your work on this project!!

[isoaxe]

Hi Rob. Yesterday I requested temporary access via the button located at '/corsdemo'. This got my app working again, though today I had to go through the process again.

Is frequently re-requesting access the intended behaviour? For development purposes this is not an issue, but in production a user couldn't be expected to do this of course. I'm just using the app as a portfolio project by the way, with very little traffic.

[jumpjack]

So what should I do to host cors-anywhere on my server? Documentation is very far from being clear.
Which folder structure should I create on my server?
Which files from the .zip I downloaded from github should I copy to the server?
Which address should I call from my script rather than "https://cors-anywhere.herokuapp.com" before the resource I need?
Which files should I edit to apply my own restriction?
Which kind of hosting service do I need? Shoud the server have any specific requirement, or will any hosting service work?

[heitorpacheco]

What can I do to use this in production? Is it just me to publish this project and use the url in front of my api?