Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Restrict access of public CORS Anywhere demo #45
The CORS Anywhere demo is hosted at Heroku. I've been informed that the app is causing performance issues on the platform and that hosting an open proxy is against the Acceptable Use Policy:
I'll be monitoring the traffic in the coming period, and blacklist all origins/destinations that have excessive usage demands, and/or automatically block sites that have more than X requests per Y seconds, unless explicitly whitelisted.
These measures are needed to 1) resolve the performance issues on Heroku platform 2) prevent abuse of the open CORS Anywhere proxy 3) Ensure that the CORS Anywhere demo can continue to operate for (small) sites who want to try out CORS Anywhere before hosting it themselves.
added a commit
May 30, 2016
I have now imposed some rate limits.
With some exceptions (e.g. localhost because it's used for development and blocking localhost altogether doesn't make sense), you can only make 600 requests per origin per hour. I came to this number by capturing Origin headers for a whole hour, 5 times (in the weekend and weekday, at different times on a given day) (resulting in 1741K requests from 2.9k unique origins, excluding previously blacklisted origins). The data shows that:
600 requests per hour is a royal limit. If you need more, host your own instance of CORS Anywhere (see https://github.com/Rob--W/cors-anywhere#demo-server for instructions). If this limit turns out to be too permissive, the limit may be tightened even more.
Here are some statistics based on the data.
I captured another 1 hour of requests after setting the limit to 600 per hour, and got the following actual results (excluding blacklisted sites):
These actual findings are within the expectations from the original investigation, so I'll stick to these limits for now.
And here are some more healthy statistics from the past hour (similar to the analysis from #42 (comment)):
Status codes (including requests that were immediately blacklisted and not visible in the above stats):