No threats detected
All checks passed. This site appears legitimate — but always stay alert for phishing even on trusted domains.
Is api.allorigins.win legit or a scam?
7.3-year-old open-source CORS proxy with clean scans and no scam reports found.
Analysis Summary
Website Preview

Automated page render — captured in a safe sandbox. What an ordinary visitor would see when loading the site. See full visual analysis →
Visual analysis
We capture a fresh screenshot of the live page and ask a vision model to look for scam visual patterns — fake trust badges, countdown timers, overlay pop-ups, and visual clones of legitimate brands.
Visual similarities noted — cleared by the overall checks
Our vision model noted some visual similarity to a known brand, but the domain, security records, and reputation checks confirm this is the legitimate site — so this is shown for transparency, not as a red flag.
What our vision model saw
1 signalPage renders a plain text error message: 'Invalid request type'
Intelligence
The domain api.allorigins.win has been registered since March 2019 and shows no malicious detections across 92 engines. The page itself returns a plain server error message rather than any login, payment, or data-collection form. Our web research found the service documented on developer forums as a legitimate GitHub project by user gnuns, with no complaints or fraud reports. The low trust-aggregator score reflects limited commercial presence rather than negative signals. No business registration exists because this is a personal open-source project, not a company. The combination of age, clean infrastructure, and transparent GitHub origin supports a safe classification for its intended technical use.
Web Research Findings
Our live research agent queries scam-report databases, consumer-review sites, news coverage, and general web search for api.allorigins.win, then cross-checks business-registration records and look-alike domain patterns. Everything below is pulled from what it actually found.
- Domain api.allorigins.win (allorigins.win) registered March 2019, age ~7.3 years.
- Free open-source CORS proxy service for fetching web content (JSON/raw/JSONP) to bypass same-origin policy; GitHub: gnuns/allOrigins by Gabriel Nunes.
- Homepage explicitly describes it as 'free and open source javascript AnyOrigin alternative' with usage examples for Wikipedia and other sites.
- Widely referenced in developer forums (Stack Overflow, Reddit r/learnjavascript, HN) as a working CORS proxy for testing; multiple code snippets and tutorials.
- No scam reports, fraud complaints, malware associations, or negative reviews found across searches on scam sites, Reddit, or general web.
- ScamAdviser score of 40/100 noted in input; no Trustpilot or ScamDoc listings.
- Hosted as personal project; GitHub profile links to sponsorships (Patreon, Liberapay, Ko-fi) under gnuns.
We searched scam-report databases, consumer-review sites, and general web sources for api.allorigins.win and didn't find scam reports or complaints. The service appears as a documented open-source project by GitHub user gnuns with references on developer forums. No business registration exists because this is a personal project rather than a commercial entity.
Domain Timeline
- Mar 5, 2019Domain registered
First appeared in WHOIS records — 7.3 years old today.
- Jul 9, 2026Latest security review — Reviewed as safe
This scan re-ran every check and found no active threat signals.
api.allorigins.win has operated for years with no threat signals in this review — a long, stable track record, though it is never a guarantee on its own.
Threat Detection
Antivirus Engines
Security Scans
Checked against the major public blocklists used by browsers and security tools — no hits.
Reputation Sources
How this domain rates across independent threat-intelligence and blocklist providers.
Technical Details
domain · encryption · redirects · server reputation · referencedDomain & Encryption
Server Reputation
What to do
Still, stay alert
No major threat indicators — but a clean scan does not guarantee every page is safe, and phishing emails routinely spoof real domains.
- Double-check the exact URL in your address bar
Confirm you are actually on api.allorigins.win and not a lookalike like a-pi.allorigins.win.com or an IDN homoglyph.
- Use a password manager
Password managers only auto-fill on the exact domain they were saved for — they refuse to fill lookalike domains, which is the single best phishing defence.
- OpenDiscuss this site on the forum
If you have first-hand experience with this site — good or bad — share it with the MalwareTips community.
Final Verdict
This is a free open-source CORS proxy service used by developers to bypass browser restrictions. The domain is 7.3 years old with clean scans and no scam reports. Treat it as a technical utility rather than a consumer site.
Safety FAQ
Common questions about this site, answered directly from the scan data above — so the answers always reflect the latest verdict on this page.
- Our automated security review found no threat indicators on api.allorigins.win. The site appears legitimate based on the signals we checked, but always stay alert for phishing emails that spoof real domains.
- api.allorigins.win passed our automated security checks with a trust score of 80/100. No antivirus engines or major blacklists flagged the site at the time of the last scan.
- Yes. api.allorigins.win presents a valid TLSv1.3 certificate issued by Google Trust Services · WE1, expiring in 87 days. Note that SSL only encrypts the connection — it does not guarantee that the site itself is trustworthy.
- api.allorigins.win is 7.4 years old, registered on 3/5/2019 through Porkbun. Scam domains are often freshly registered — a site under 6 months old warrants extra caution.
- No. All 92 antivirus engines in our malware network report api.allorigins.win as clean.
- No. api.allorigins.win is not currently listed on the major browser blocklist feeds that modern browsers use.
- api.allorigins.win resolves to an IP operated by Cloudflare, Inc. in US (usage type: Content Delivery Network). Hosting location alone doesn't make a site good or bad, but unusual geography for a brand's claimed country is one of many signals we weigh.
- Independent trust-rating sites currently show the following for api.allorigins.win: ScamAdviser: 40/100. Those scores come from user reviews and their own heuristics, so they are worth comparing against our verdict.
User reviews & comments(0)
Share your experience — "Lost $200 on a fake checkout" is more useful than "Scam". Your review helps others avoid traps.