A deliberately dumb, no-logging CORS forward proxy on Cloudflare Workers. It is the hosted default relay for save brain power, and it is designed to be equally easy to run yourself.
This directory is the source for the standalone savebrainpower/proxy
repository.
save brain power is zero-knowledge: the app's servers only ever store ciphertext, so anything that needs plaintext — AI calls with your own API key, integration syncs, link previews — runs in your browser against third-party APIs. Most of those APIs don't send CORS headers, so the browser needs a relay. This is that relay, and nothing more.
You have two options, and both are first-class:
- Use the hosted default at
https://proxy.savebrainpower.xyz— zero setup. - Deploy your own (below) — then your plaintext never touches infrastructure you don't control. This is the stronger privacy posture and the reason this repo is public: you can read every line the relay runs.
Append the absolute target URL to the proxy origin — the one convention a
browser fetch can express for a forward proxy:
GET https://<proxy-host>/https://api.openai.com/v1/models
POST https://<proxy-host>/https://api.anthropic.com/v1/messages
Method, body, and headers are forwarded as-is, except for what gets stripped (see Privacy). The response comes back with permissive CORS for allowed origins. That's the whole API.
- No logs, no analytics, no storage. Workers observability is disabled in
wrangler.tomland the source contains noconsole.*. The only per-request memory is the rate limiter's transient counter. - Stripped on the way in:
Cookie,Origin,Referer, and everycf-*/x-forwarded-*/x-real-ipheader — the target does not learn who or where you are from us. - Stripped on the way out:
Set-Cookie(a target can't plant state on the proxy domain) and the target's own CORS headers (ours win). - SSRF guard: loopback, RFC-1918, link-local, metadata, and self-referential targets are refused.
Per-IP rate limiting via Cloudflare's native rate-limiting binding (default:
100 requests/minute) — chosen precisely because it keeps no logs and needs no
storage. Browser access is additionally scoped by ALLOWED_ORIGINS.
bun install # or npm install
bunx wrangler deploy # after: remove/adjust `routes` in wrangler.tomlConfiguration lives in wrangler.toml for local use.
If you are using the standalone savebrainpower/proxy repository, start from
wrangler.example.toml and copy it into place:
cp wrangler.example.toml wrangler.tomlThen edit the copied file:
[[unsafe.bindings]] … simple = { limit, period }— the per-IP rate limit.
Requirements:
- Bun
- A Cloudflare account if you want to run
wrangler devagainst the worker
Install dependencies:
bun installRun the worker locally:
bun run devThen configure http://localhost:8788 on https://app.savebrainpower.xyz/settings?tab=proxy
Other useful commands:
bun run test
bun run typecheck
bun run fmtIf you want to deploy to a Cloudflare worker of your own:
bun run deploy