This repository contains two variants of a high-performance service that fetches, caches, and serves website favicons:
- Docker/Node.js Variant: A traditional server application designed to run in a Docker container on platforms like Heroku, GCP Cloud Run, or any standard server.
- Cloudflare Worker Variant: A serverless version rewritten to run on Cloudflare's global edge network for extremely low latency.
- Robust Icon Discovery: Exhaustively parses site HTML (including
wwwsubdomains and redirects) for<link>tags before falling back to/favicon.ico. - Best-Fit Sizing: Intelligently finds the icon that best matches the requested size.
- Proxy Service: Fetches and returns the image directly, bypassing client-side CORS issues.
- Base64 Format: Optional flag (
b64) to return a JSON object with a CORS-safedata:URI. - Hybrid Storage: The Docker version uses Redis or an in-memory cache. The Cloudflare version uses Workers KV.
- Advanced Rate Limiting: Configure multiple, concurrent limits per API key or for anonymous users.
- Resilient DNS (Docker only): Optionally bypass a faulty system DNS resolver by using DNS over HTTPS (DoH) or specifying custom DNS servers.
- Debug Logging (Docker only): Enable detailed logging for troubleshooting.
- Secure: Includes SSRF protection, request timeouts, and standard security headers.
Base URL: https://your-app-url.com/
All parameters and their values are case-insensitive. Parameters can be provided via URL query string or request headers, with query string values taking precedence.
domain(Required): The domain to fetch. e.g.,google.com.s/size(Optional): The desired icon size. Default:64.m/magic(Optional): Include the key (e.g.,&m) to enablewwwfallback.b64(Optional): Include the key (e.g.,&b64) to receive a JSON response.key(Optional): An API key for authenticated requests.
Request: GET /?domain=Github.com&S=128
- Response:
- Status:
200 OK - Headers:
Content-Type: image/png - Body:
(raw image data)
- Status:
Request: GET /?domain=github.com&s=128&b64=TRUE
- Response:
- Status:
200 OK - Headers:
Content-Type: application/json - Body:
{ "href": "[https://github.githubassets.com/assets/apple-touch-icon-144x144.png](https://github.githubassets.com/assets/apple-touch-icon-144x144.png)", "base64": "data:image/png;base64,iVBORw0KGgoAAAANSUhE..." }
- Status:
Request: GET /?domain=google.com&key=mysecretkey0
(Header-based authentication is also supported)
The Cloudflare Worker variant runs on Cloudflare's edge network for the lowest possible latency. The deploy button will automatically guide you through creating the required KV namespaces.
Required Manual Step (After Deployment): For security, you must add your API keys as secrets after the initial deployment.
- In the Cloudflare dashboard, navigate to your newly deployed Worker.
- Go to
Settings->Variables. - Under
Environment Variables, clickAdd variable, enter the name (e.g.,AUTHN0), enter the secret value, and clickEncrypt.
Option 1: Deploy with Managed Redis (Production Ready)
Option 2: Deploy Manually or In-Memory
- Clone the repository and
cdinto it. - Review the example configuration in
docker-compose.ymlto understand available environment variables. - (Optional) Customize your local config:
- Edit
docker-compose.ymldirectly, OR - Create a
.envfile with your custom values (Docker Compose will use it automatically)
- Edit
- Run with Docker Compose:
docker-compose up --build
The service will be available at http://localhost:8080.
If you prefer using a .env file instead of editing docker-compose.yml:
PORT=8080
REDIS_URL=redis://redis:6379
CACHE_ENABLED=true
CACHE_TTL_SECONDS=86400
REQ_TIMEOUT_MS=5000
HTML_PAYLOAD_LIMIT=250000
ICON_PAYLOAD_LIMIT=2097152
DEBUG=false
# Optional: DNS over HTTPS
# DOH1=https://dns.google/dns-query
# DOH2=https://cloudflare-dns.com/dns-query
# Optional: API Keys and Rate Limits
# AUTHN0=your_secret_key_here
# LIMIT0=rps:10,rpm:500
# Anonymous Rate Limits
LIMITA=rps:1,rpm:60
LIMITI=rpm:30Variable keys (e.g., PORT, AUTHN0) are case-sensitive.
| Variable | Description | Default |
|---|---|---|
PORT |
The port the server listens on. | 8080 |
REDIS_URL |
Connection string for Redis. If not set, the app falls back to in-memory mode. | "" (none) |
DOH1, DOH2 |
Optional DoH endpoints. DOH1: https://cloudflare-dns.com/dns-query, DOH2: https://dns.google/dns-query. |
"" (none) |
DEBUG |
Set to true to enable detailed console logging for troubleshooting. |
false |
LIMIT_SEPARATOR |
Character for separating multiple rate limit rules. Defaults to ,. Set to ; for GCP. |
, |
CACHE_ENABLED |
Enables/disables caching (true/false). |
true |
CACHE_TTL_SECONDS |
Cache expiration time in seconds. | 86400 (24h) |
IN_MEMORY_CACHE_MAX_SIZE |
Max cache size (in bytes) for in-memory mode. | 52428800 (50MB) |
REQ_TIMEOUT_MS |
Milliseconds to wait for target sites. | 5000 (5s) |
HTML_PAYLOAD_LIMIT |
Max HTML size to download (in bytes). | 250000 (250KB) |
ICON_PAYLOAD_LIMIT |
Max icon file size to download (in bytes). | 2097152 (2MB) |
CUSTOM_USER_AGENT |
Override the default User-Agent string. | Mozilla/5.0 (Macintosh...) |
AUTHN[0-1000] |
API key. e.g., AUTHN0=key_abc. |
"" |
LIMIT[0-1000] |
Rate limit for the corresponding API key. e.g., LIMIT0=rps:10,rpm:500. |
"" |
LIMITA |
Global rate limit for all anonymous users. | rps:1,rpm:60 |
LIMITI |
Per-IP rate limit for anonymous users. Applied in addition to LIMITA. |
"" |
Limits are defined as a comma/semicolon-separated list of unit:value pairs or just value (defaults to rps).
- Units:
rps(requests per second),rpm(minute),rph(hour),rpd(day). - Value of
0: Blocks all requests for that key. - Examples:
rps:10,rpm:500,10(same asrps:10).
Dual Licensed: Personal Non-Commercial OR Commercial
Prohibited without commercial license:
- Business/company use of any kind
- Websites or services accessed by others
- Any gated/monetized/ad-supported use
- Educational/academic/research use
- SaaS or service provision
Commercial licenses available: Contact https://www.kalman.co.il
Full terms: LICENSE.md