http-proxy-middleware
HTTP proxy middleware for Node.js. Routes HTTP/WebSocket requests to a target server, enabling reverse proxy behavior in Express.js applications. The standard solution for development CORS proxying (frontend dev server proxying to backend API), API gateway routing, and microservice proxying. Powers Create React App's proxy, Vue CLI's devServer.proxy, and webpack-dev-server's proxy option. Supports path rewriting, target modification per request, SSL, and WebSocket proxying.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
SSRF vulnerability if target is user-controlled — always whitelist allowed targets. SSL verification configurable. No built-in auth. changeOrigin can expose internal hostnames.
⚡ Reliability
Best When
You need development-time CORS proxying, simple path-based API routing in Express, or WebSocket proxying in a Node.js application.
Avoid When
You need production-grade reverse proxying, load balancing, or complex API gateway features — use NGINX or a dedicated API gateway.
Use Cases
- • Proxy frontend development server requests to backend API to avoid CORS during local development
- • Implement simple API gateway routing rules in Express — route /api/users to user-service, /api/orders to order-service
- • Route WebSocket connections through an Express server to a WebSocket backend using the ws: true option
- • Rewrite URL paths when proxying — strip /api prefix before forwarding to microservice using pathRewrite
- • Add authentication headers to proxied requests using the on.proxyReq handler for outbound request modification
Not For
- • Production API gateways at scale — use NGINX, Envoy, or Kong for production-grade reverse proxying with rate limiting and circuit breaking
- • Load balancing — http-proxy-middleware proxies to a single target; use nginx or HAProxy for load balancing
- • Complex routing rules — use dedicated API gateway solutions for complex routing logic
Interface
Authentication
No built-in auth — use on.proxyReq handler to add auth headers to proxied requests. Target server handles auth.
Pricing
Fully free, MIT licensed.
Agent Metadata
Known Gotchas
- ⚠ v3 introduced breaking API changes from v2 — createProxyMiddleware() now requires explicit target in options, and event handlers moved to on: { proxyReq, error } object
- ⚠ WebSocket proxying requires ws: true option AND must be manually upgraded for Express — use server.on('upgrade', proxy.upgrade) to handle WebSocket upgrades
- ⚠ SSL certificate verification: by default, proxy verifies target SSL certs — for local dev with self-signed certs, use secure: false option (never in production)
- ⚠ Path rewriting doesn't affect Host header — if target server routes by Host, set changeOrigin: true to update the Host header to match the target
- ⚠ Error handling is crucial — unhandled proxy errors crash the middleware; always provide on.error handler to return proper HTTP error responses
- ⚠ SSRF risk: if target URL is user-controlled, http-proxy-middleware can be used for Server-Side Request Forgery — always validate/whitelist target URLs
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for http-proxy-middleware.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-07.