SAFE

No threats detected

All checks passed. This site appears legitimate — but always stay alert for phishing even on trusted domains.

Security Review

Is api.allorigins.win legit or a scam?

Our verdict:Safe· 80/100

7.3-year-old open-source CORS proxy with clean scans and no scam reports found.

api.allorigins.winScanned 1h ago
0
Trust score
SAFE
Score breakdown
Heuristics 90·MT 75
Screenshot of api.allorigins.winSee the live page ↓
Positive signals (5)
Antivirus clearNot on major blacklistsDomain is 7 years oldEncrypted connectionClean server reputation
View density

Analysis Summary

Threat Intelligence
0/92
All engines report clean
Domain Age
7 years old
Registered Mar 5, 2019
Intelligence
Safe
Low likelihood · 85% confidence

Website Preview

Screenshot of api.allorigins.win
LIVE RENDER
api.allorigins.win

Automated page render — captured in a safe sandbox. What an ordinary visitor would see when loading the site. See full visual analysis →

Visual analysis

We capture a fresh screenshot of the live page and ask a vision model to look for scam visual patterns — fake trust badges, countdown timers, overlay pop-ups, and visual clones of legitimate brands.

50
/ 100
Visual inspection

Visual similarities noted — cleared by the overall checks

Our vision model noted some visual similarity to a known brand, but the domain, security records, and reputation checks confirm this is the legitimate site — so this is shown for transparency, not as a red flag.

Visual similarity50/100

What our vision model saw

1 signal

Page renders a plain text error message: 'Invalid request type'

Intelligence

Advanced threat intelligence
Analysis
Low scam likelihoodengineMT · Guardiantrust75/100
MT AgentLive web researchVisual inspection
0%
Confidence
The domain api.allorigins.win has been registered since March 2019 and shows no malicious detections across 92 engines. The page itself returns a plain server error message rather than any login, payment, or data-collection form. Our web research found the service documented on developer forums as a legitimate GitHub project by user gnuns, with no complaints or fraud reports. The low trust-aggregator score reflects limited commercial presence rather than negative signals. No business registration exists because this is a personal open-source project, not a company. The combination of age, clean infrastructure, and transparent GitHub origin supports a safe classification for its intended technical use.
Full dossier
Analysis complete

Page Content

The page returns a plain-text server error stating 'Invalid request type' on a blank background. No forms, login fields, payment prompts, or marketing content appear. The service is designed as a backend API endpoint rather than a consumer-facing site.

Infrastructure

Hosted on IP 104.21.38.59 with an abuse score of 0/100 and only one historical report. SSL certificate is valid and issued by Google Trust Services. No redirects occur and the domain shows no homoglyph or IDN manipulation. The setup matches a typical lightweight API hosting configuration.

Domain History

Registered on 2019-03-05 through Porkbun, giving the domain an age of 7.3 years. WHOIS privacy protection is disabled, which is consistent with an open-source project that lists its maintainer publicly. No ownership changes or recent re-registrations appear in the record.

Web Reputation

Our research found zero scam reports, zero complaints, and zero malware associations. The project is referenced positively on Stack Overflow, Reddit, and Hacker News as a working CORS proxy. GitHub user gnuns maintains the repository with sponsorship links, confirming the personal open-source nature of the service. No business registration exists because none is required for this type of project.

What this means for you

The site functions as a developer utility, not a consumer service. Developers can continue using it for legitimate CORS bypass needs, but treat any API key or token handling with normal caution as with any third-party service.

Risk Factors
2
  • Low traffic ranking means fewer independent verifications of uptime and reliability.
  • Trust aggregator score sits at 40/100, reflecting limited commercial footprint rather than active complaints.
Positive Signals
4
  • Domain registered 7.3 years ago with stable ownership through Porkbun.
  • Zero detections across 92 antivirus engines and clean browser blocklist status.
  • Explicit GitHub repository and maintainer name publicly documented.
  • No scam reports, fraud complaints, or malware associations found in web research.
AI Recommendation
Safe to use as a technical CORS proxy for development work. Do not enter personal credentials or payment details, as this is an API endpoint rather than a consumer service.
Next-gen fraud intelligence
Evidence-backedCross-checked

Web Research Findings

Our live research agent queries scam-report databases, consumer-review sites, news coverage, and general web search for api.allorigins.win, then cross-checks business-registration records and look-alike domain patterns. Everything below is pulled from what it actually found.

Business registration
No public record found
Could not match the site to a registered company — common for small sites.
Independent review aggregators
40/100 · questionable
Average across 1 independent review aggregator.
Clone check
Not a clone
No well-known site's layout or branding detected here.
Typosquat check
No look-alike match
The domain doesn't resemble any well-known brand's spelling.
Web mentions
No scam reports found
No complaints, no negative coverage turned up in our sweep.
Web ratings
Scores pulled directly from third-party trust & review sites
ScamAdviser
40/100
Questionableopen
Key findings
7 headline facts from open-web research
  • Domain api.allorigins.win (allorigins.win) registered March 2019, age ~7.3 years.
  • Free open-source CORS proxy service for fetching web content (JSON/raw/JSONP) to bypass same-origin policy; GitHub: gnuns/allOrigins by Gabriel Nunes.
  • Homepage explicitly describes it as 'free and open source javascript AnyOrigin alternative' with usage examples for Wikipedia and other sites.
  • Widely referenced in developer forums (Stack Overflow, Reddit r/learnjavascript, HN) as a working CORS proxy for testing; multiple code snippets and tutorials.
  • No scam reports, fraud complaints, malware associations, or negative reviews found across searches on scam sites, Reddit, or general web.
  • ScamAdviser score of 40/100 noted in input; no Trustpilot or ScamDoc listings.
  • Hosted as personal project; GitHub profile links to sponsorships (Patreon, Liberapay, Ko-fi) under gnuns.
Research summary
Narrative write-up from our AI analyst, grounded on the facts above

We searched scam-report databases, consumer-review sites, and general web sources for api.allorigins.win and didn't find scam reports or complaints. The service appears as a documented open-source project by GitHub user gnuns with references on developer forums. No business registration exists because this is a personal project rather than a commercial entity.

Domain Timeline

  1. Mar 5, 2019
    Domain registered

    First appeared in WHOIS records — 7.3 years old today.

  2. Jul 9, 2026
    Latest security review — Reviewed as safe

    This scan re-ran every check and found no active threat signals.

api.allorigins.win has operated for years with no threat signals in this review — a long, stable track record, though it is never a guarantee on its own.

Threat Detection

Antivirus Engines

Clean pass · verified
Clean across 92 engines

We cross-check every URL against our antivirus network of 92 malware and blacklist engines. None of them flagged this URL in the last scan.

0Malicious0Suspicious58Harmless92Engines
Clean
Kaspersky
Clean
Bitdefender
Clean
Microsoft
Not in pass
ESET-NOD32
Not in pass
Avira
Not in pass
Sophos
Clean
Fortinet
Clean
Google Safebrowsing
Clean
Emsisoft
Clean

No engine detections. The URL passed every antivirus and blacklist engine we queried in this scan. Stay vigilant — AV coverage is only one signal among many.

Security Scans

Blacklist Check
Not flagged on major threat lists

Checked against the major public blocklists used by browsers and security tools — no hits.

Reputation Sources

How this domain rates across independent threat-intelligence and blocklist providers.

Google Safe Browsing
Not listedCheck ↗
VirusTotal
Not listedCheck ↗
AbuseIPDB
Not listedCheck ↗

Technical Details

Domain & Encryption

Domain History
Age7 years old
RegistrarPorkbun
RegisteredMar 5, 2019
ExpiresMar 5, 2027
Owner privacyVisible
Encryption Certificate
StatusValid
ProtocolTLSv1.3
IssuerGoogle Trust Services · WE1
ExpiresOct 5, 2026 (87d)
Self-signedNo
Hosting & Technology
HostingCloudflare, Inc.
Server locationUS

Server Reputation

Abuse Intelligence
Confidence score0%
Reports on file1
ISPCloudflare, Inc.
Usage typeContent Delivery Network

What to do

Still, stay alert

No major threat indicators — but a clean scan does not guarantee every page is safe, and phishing emails routinely spoof real domains.

  • Double-check the exact URL in your address bar

    Confirm you are actually on api.allorigins.win and not a lookalike like a-pi.allorigins.win.com or an IDN homoglyph.

  • Use a password manager

    Password managers only auto-fill on the exact domain they were saved for — they refuse to fill lookalike domains, which is the single best phishing defence.

  • Discuss this site on the forum

    If you have first-hand experience with this site — good or bad — share it with the MalwareTips community.

    Open

Final Verdict

0
Trust / 100
Final Verdict·api.allorigins.win
SAFE

This is a free open-source CORS proxy service used by developers to bypass browser restrictions. The domain is 7.3 years old with clean scans and no scam reports. Treat it as a technical utility rather than a consumer site.

Safe to use as a technical CORS proxy for development work. Do not enter personal credentials or payment details, as this is an API endpoint rather than a consumer service.

AV engines
92
Domain age
7 yrs
Flagged
0
Scan another URL
Security review completemalwaretips.com/url-scan

Safety FAQ

Common questions about this site, answered directly from the scan data above — so the answers always reflect the latest verdict on this page.

  • Our automated security review found no threat indicators on api.allorigins.win. The site appears legitimate based on the signals we checked, but always stay alert for phishing emails that spoof real domains.
  • api.allorigins.win passed our automated security checks with a trust score of 80/100. No antivirus engines or major blacklists flagged the site at the time of the last scan.
  • Yes. api.allorigins.win presents a valid TLSv1.3 certificate issued by Google Trust Services · WE1, expiring in 87 days. Note that SSL only encrypts the connection — it does not guarantee that the site itself is trustworthy.
  • api.allorigins.win is 7.4 years old, registered on 3/5/2019 through Porkbun. Scam domains are often freshly registered — a site under 6 months old warrants extra caution.
  • No. All 92 antivirus engines in our malware network report api.allorigins.win as clean.
  • No. api.allorigins.win is not currently listed on the major browser blocklist feeds that modern browsers use.
  • api.allorigins.win resolves to an IP operated by Cloudflare, Inc. in US (usage type: Content Delivery Network). Hosting location alone doesn't make a site good or bad, but unusual geography for a brand's claimed country is one of many signals we weigh.
  • Independent trust-rating sites currently show the following for api.allorigins.win: ScamAdviser: 40/100. Those scores come from user reviews and their own heuristics, so they are worth comparing against our verdict.
Recently scanned

Other Safe reports

Browse all reports
Community review

User reviews & comments(0)

Share your experience — "Lost $200 on a fake checkout" is more useful than "Scam". Your review helps others avoid traps.

Loading…
Loading comments…
This report is generated automatically by combining threat intelligence, domain signals, and an AI security analyst. It is informational, not legal advice. Always use your own judgement before sharing personal information or money online.