Are CORS Proxies Safe?
On This Page
If you’re considering using CORS proxies in your project, you might be concerned about their privacy and safety implications, especially if you’ve seen articles discussing CORS proxy security concerns, like this great article from HTTP Toolkit.
In this blog post, we’ll address each potential concern so you can be better equipped with knowledge when using CORS proxies.
How Do CORS Proxies Work?
Before jumping into the security concerns, it’s helpful to understand how CORS proxies actually work.
When you use a CORS proxy, you provide the target URL or API that you want to fetch without CORS errors. The proxy reads your request to extract the URL and fetch your data. Then, upon returning the response, the proxy modifies the HTTP headers to include the necessary CORS headers.
This is basically how CORS proxies work. In order to function, they must read and modify requests going through the proxy.
Addressing the Concerns
Now that you understand how CORS proxies work, let’s address each concern one by one.
Free Hosted CORS Proxies Are Dangerous
There are several points to consider here. First, a CORS proxy can read and modify the traffic going through it. As we discussed previously, this is in fact, how a CORS proxy works.
This doesn’t mean we should simply accept it as inevitable. Using a CORS proxy requires some level of trust because it can potentially store logs of your requests and modify responses beyond just adding headers. This is why you need to trust the proxy you’re using.
Running a proxy service requires time and money. This is why free services might raise suspicions about their funding model and potential incentives to monetize user data.
Another concern with free CORS proxies is reliability. You can’t depend on your website using a free CORS proxy since it can shut down unexpectedly, potentially breaking your application.
CORS Proxies Can Leak Private State Between Origins
In the HTTP Toolkit article, there’s a detailed explanation of how this can happen. The gist is that since you’re essentially only calling a single domain every time you use a proxy, any cookies that are passed along via the proxy from multiple websites are all stored under this proxy domain.
If you send a request via the proxy that requires cookies, it means all cookies are sent with this request, even those from completely unrelated websites. This effectively “leaks private state between origins.”
We agree with this point completely. A CORS proxy should not be returning or accepting cookies.
CORS Proxies Can Expose the Proxy’s Local Network
This concern relates to SSRF (Server-Side Request Forgery) attacks. Here’s how this vulnerability works:
Since CORS proxies allow users to fetch nearly any URL, an attacker could exploit this by requesting data from local IP addresses instead of legitimate APIs. Because the request originates from the proxy server, the attacker can effectively access the server’s internal network through the proxy.
This type of attack can escalate to more serious security breaches, such as LFI (Local File Inclusion), where an attacker gains the ability to read arbitrary files from the server.
While this vulnerability primarily affects the proxy provider rather than the proxy user, it can indirectly impact users if the compromised server leads to service disruption or data breaches.
This is a legitimate concern that requires proper mitigation. A secure proxy should implement protections against SSRF attacks, which could include validation for user input.
CORS Proxies Are Easily Abused
This concern is more of a problem for someone providing a CORS proxy service. It discusses how hosting an open proxy can be subject to abuse, so it’s less related to the proxy user. However, if you’re using a free, open CORS proxy, this might affect you since your website could become unreliable. You can’t depend on free CORS proxies for consistent service.
Our approach for making a safe CORS proxy
To be safe, a CORS proxy needs to properly address all the concerns we’ve outlined above.
We can’t speak for other CORS proxy services out there, but we can share how we’re implementing these measures at Corsfix to keep our service and users safe:
-
No logs policy: We don’t log your proxy requests. In fact, we don’t want your data, we just focus on providing the best service and making sure you can solve CORS errors quickly.
-
We are open source: Since our codebase is open source, you can independently audit our code to verify our privacy claims. If you still don’t trust us, you are free to host the proxy yourself.
-
We don’t use cookies: We avoid setting cookies altogether in our response headers, since most APIs nowadays don’t use cookies.
-
We sanitize target URLs: This protects against local network attacks. Every request is sanitized down to the DNS resolution level to prevent requests going to local networks, only public internet is allowed.
-
We have a high-reliability architecture: We have redundant servers across the globe serving your requests. This serves two purposes: availability and minimum latency. We also protect our servers behind firewalls, so only legitimate requests are allowed through. All of this combines to give us 99.9% availability on our service, ensuring you can safely depend on us being available.
Conclusion
CORS proxies can be safe to use if they implement proper security, privacy and reliability measures, such as: maintaining no-logs policies, providing transparency via open source, protecting against common attacks involving cookies or SSRF, and ensuring high availability.
When choosing a CORS proxy, avoid free services that lack transparency and reliability guarantees. Look for providers that address each of these concerns.
If you’re using Corsfix, you can rest assured that we have all of these security measures covered and implemented. Our commitment to transparency, privacy, and reliability means you can trust us with your CORS proxy needs.