PHPackages                             wp-php-toolkit/corsproxy - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Utility &amp; Helpers](/categories/utility)
4. /
5. wp-php-toolkit/corsproxy

ActiveLibrary[Utility &amp; Helpers](/categories/utility)

wp-php-toolkit/corsproxy
========================

CORSProxy component for WordPress.

v0.8.1(1mo ago)0118GPL-2.0-or-laterPHPPHP &gt;=7.2

Since May 20Pushed 1mo agoCompare

[ Source](https://github.com/wp-php-toolkit/corsproxy)[ Packagist](https://packagist.org/packages/wp-php-toolkit/corsproxy)[ Docs](https://wordpress.github.io/php-toolkit/reference/corsproxy.html)[ RSS](/packages/wp-php-toolkit-corsproxy/feed)WikiDiscussions trunk Synced today

READMEChangelogDependencies (4)Versions (49)Used By (0)

   slug corsproxy   title CORSProxy   install wp-php-toolkit/corsproxy   see\_also    httpclient | HttpClient | Fetch upstream responses from PHP when browser CORS blocks direct access.

 httpserver | HttpServer | Understand the local-server shape before deploying a proxy endpoint.

    A small PHP CORS proxy intended for browser-side code that needs to reach servers without CORS headers.

Why this exists
---------------

[](#why-this-exists)

A Playground-style browser tool reads `https://api.github.com/repos/WordPress/php-toolkit`, a plugin ZIP from `downloads.wordpress.org`, or a raw fixture from GitHub. The browser blocks the response when the upstream server does not send the required CORS headers, even though PHP can fetch the same public URL server-side.

The CORSProxy component is that server-side bridge. It accepts a target URL, fetches it from PHP, and returns a browser-readable response. Because an open proxy is a security and abuse risk, real deployments should add host allowlists, rate limits, header controls, and private-network protections appropriate to their environment.

Run the proxy locally
---------------------

[](#run-the-proxy-locally)

**Run on your machine:** the proxy needs to listen on a port. Start PHP's built-in server and request any HTTPS URL through it.

```
PLAYGROUND_CORS_PROXY_DISABLE_RATE_LIMIT=1 \
  php -S 127.0.0.1:5263 vendor/wp-php-toolkit/corsproxy/cors-proxy.php

# In another terminal:
curl -s "http://127.0.0.1:5263/cors-proxy.php/https://api.github.com/repos/WordPress/php-toolkit" | head

```

Production rate limiting
------------------------

[](#production-rate-limiting)

Drop a `cors-proxy-config.php` next to `cors-proxy.php`. If that file defines a `playground_cors_proxy_maybe_rate_limit()` function, the proxy calls it before forwarding any request — your one chance to reject early. Without that function the proxy relies only on its coarse built-in safeguards, so production deployments should provide their own rate limiting.

This example uses a per-IP token bucket stored on disk. Replace with Redis or memcached for multi-host deployments.

```
