-saves bytes, and avoids triggering IDS/WAF alarms since browser finger
printing will prove these headers are unnatural and on SSL must be a MITM
attack
-leave x-forwarded-* intact since they can be used to block CORS proxy
abuse if the not-CORS origin webmaster really has to block the proxy
and they are not unique to Heroku platform
- Add checkRateLimit option to the API.
- Extend the default server.js with environment variables
CORSANYWHERE_WHITELIST (re-using originWhitelist) and
CORSANYWHERE_RATELIMIT (using the new checkRateLimit option)
to make it easy to enforce usage limits.
- Document that Heroku doesn't want open proxies.
Some clients try to use CORS Anywhere, even for same-origin requests...
Add a new setting "redirectSameOrigin" to not waste server resources on
proxying such requests.
Fixes#42
One of the following headers is required by default:
- Origin: This header is always sent with CORS requests.
- X-Requested-With: This header is automatically added by jQuery on
same-origin requests.
These two headers effectively disable the ability to use the CORS
proxy for regular browsing.
