A proxy to bypass CORS in the browser.
npm start- Default port:
8080(override withPORT)
PORT: Port for the HTTP server inside the container/process. Default8080.CBP_ALLOWED_HOSTS: Optional allowlist for target hosts. Comma-separated list supporting*wildcards.- Matching is case-insensitive against the target URL hostname (without port).
- Patterns are simple globs where
*matches any sequence of characters. - Examples:
CBP_ALLOWED_HOSTS=example.com,*.example.orgCBP_ALLOWED_HOSTS=api.internal.local,*.svc.cluster.local
- Note:
*.example.comdoes not matchexample.comitself. Include both if needed.
CBP_UPSTREAM_TIMEOUT_MS: Optional inactivity timeout for the upstream request (client → target).- If the target doesn’t send any data for this many milliseconds, the request is aborted.
- Default:
0(disabled, no inactivity timeout). - Example:
CBP_UPSTREAM_TIMEOUT_MS=120000for 2 minutes.
http://<host>:<port>/?__cbp-target=<urlencoded destination http/https URL>
__cbp-target— required: urlencoded full http/https URL (with its own query) where the request will be sent__cbp-origin— optional: overridesOrigin
curl "http://localhost:8080/?__cbp-target=https%3A%2F%2Fhttpbin.org%2Fget%3Fa%3D1"
curl -X POST -H "Content-Type: application/json" \
-d '{"hello":"world"}' \
"http://localhost:8080/?__cbp-target=https%3A%2F%2Fhttpbin.org%2Fpost"
curl "http://localhost:8080/?__cbp-target=https%3A%2F%2Fhttpbin.org%2Fheaders&__cbp-origin=https%3A%2F%2Fexample.com"Browser:
const t = encodeURIComponent('https://httpbin.org/get?a=1');
fetch(`http://localhost:8080/?__cbp-target=${t}`).then(r => r.json());- When
CBP_ALLOWED_HOSTSis set, requests to targets whose hostname does not match the allowlist are rejected with an error. - Long-polling or delayed responses: if you saw ~5–6s timeouts before, set
CBP_UPSTREAM_TIMEOUT_MS(or leave it at0) to allow longer waits.