Trying to run cors-anywhere locally

server/node_modules/cors-anywhere/test/cert.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBsTCCARoCCQDp0DuED0RAJzANBgkqhkiG9w0BAQsFADAdMRswGQYDVQQDDBJj
+b3JzLWFueXdoZXJlIHRlc3QwHhcNMTUwNTA2MDcyOTM1WhcNMTUwNjA1MDcyOTM1
+WjAdMRswGQYDVQQDDBJjb3JzLWFueXdoZXJlIHRlc3QwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBALzTF5ClJKvkB6h9h7kLORV+mMV3ySDs+oGZn0NgXM+yb9Zh
+69r5e95zZJl/V432LFdy0hkEcVteUkC2REWG8D4COGfiwWsXyZdaP1qqLpDpPAMm
+v6xFHjW6rVuxzfr4GUjE0Zh9Fg2R2SbtCOcHS/LZoDVOqOvn6+urP6XFY4aFAgMB
+AAEwDQYJKoZIhvcNAQELBQADgYEAYXMhS8ouff/c8lSUUs/CLh010cj5RPk/ivS7
+aN2PArzQ6pZvhpgJKf7XAQksBtLYYZMzIpG6W8zhPSbqzly7lELAdE+sxcbbfu8A
+FMjNVFQ2Fm1c8ImX8qpE3nhVrPAiwfPjGBqKHTl730gvbh1XH9TC4O4dZcbEomX3
+5MsxQfc=
+-----END CERTIFICATE-----

server/node_modules/cors-anywhere/test/child.js

@@ -0,0 +1,64 @@
+// When this module is loaded, CORS Anywhere is started.
+// Then, a request is generated to warm up the server (just in case).
+// Then the base URL of CORS Anywhere is sent to the parent process.
+// ...
+// When the parent process is done, it sends an empty message to this child
+// process, which in turn records the change in used heap space.
+// The difference in heap space is finally sent back to the parent process.
+// ...
+// The parent process should then kill this child.
+
+process.on('uncaughtException', function(e) {
+  console.error('Uncaught exception in child process: ' + e);
+  console.error(e.stack);
+  process.exit(-1);
+});
+
+// Invoke memoryUsage() without using its result to make sure that any internal
+// datastructures that supports memoryUsage() is initialized and won't pollute
+// the memory usage measurement later on.
+process.memoryUsage();
+
+var heapUsedStart = 0;
+function getMemoryUsage(callback) {
+  // Note: Requires --expose-gc
+  // 6 is the minimum amount of gc() calls before calling gc() again does not
+  // reduce memory any more.
+  for (var i = 0; i < 6; ++i) {
+    global.gc();
+  }
+  callback(process.memoryUsage().heapUsed);
+}
+
+var server;
+if (process.argv.indexOf('use-http-instead-of-cors-anywhere') >= 0) {
+  server = require('http').createServer(function(req, res) { res.end(); });
+} else {
+  server = require('../').createServer();
+}
+
+server.listen(0, function() {
+  // Perform 1 request to warm up.
+  require('http').get({
+    hostname: '127.0.0.1',
+    port: server.address().port,
+    path: '/http://invalid:99999',
+    agent: false,
+  }, function() {
+    notifyParent();
+  });
+
+  function notifyParent() {
+    getMemoryUsage(function(usage) {
+      heapUsedStart = usage;
+      process.send('http://127.0.0.1:' + server.address().port + '/');
+    });
+  }
+});
+
+process.once('message', function() {
+  getMemoryUsage(function(heapUsedEnd) {
+    var delta = heapUsedEnd - heapUsedStart;
+    process.send(delta);
+  });
+});

server/node_modules/cors-anywhere/test/dummy.txt

@@ -0,0 +1 @@
+dummy content

server/node_modules/cors-anywhere/test/key.pem

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC80xeQpSSr5AeofYe5CzkVfpjFd8kg7PqBmZ9DYFzPsm/WYeva
++Xvec2SZf1eN9ixXctIZBHFbXlJAtkRFhvA+Ajhn4sFrF8mXWj9aqi6Q6TwDJr+s
+RR41uq1bsc36+BlIxNGYfRYNkdkm7QjnB0vy2aA1Tqjr5+vrqz+lxWOGhQIDAQAB
+AoGBAISy8OelN01Zlowxk/VWTsqtSl3UHdP21uHHfWaTTQZlxzTpYiBknkmp3LQH
+CxfoPidCuSX9ulBUzAdQUFBwUVp8wyPIRjpNyRiD58dLNxG0G+OACqnLxNWqIf6F
+vS3UqrRGIA5u+GSz+0g3DAeVA5JmsAyHQGkJsh3pcuD8/7wNAkEA7MScGfySy9td
+dDBekVU5/GaVg4DA4ELtDNfa99ARB89XP0ps/XrOPEL9yxTjWIHH+qxuhpfG6zGN
+ouxZlvBT9wJBAMwpig4A4JE8M8pBDwMY4213gud8B1grQTbhz5bv51aTaIEQFcxw
+sGfEmAfVToI+kVTrdFggy42YCSMSvwuF4mMCQQDZHkqPwf/TlSwT2i8+UstD28aL
+uswkWvsKZf9UdKbJZKd7UIK1x6HLvRsC2frJNOnvw6PvJMuy7dQWbWqScXxtAkBv
+/5msdO68vbnriiUiHdUliBpXwsKEq7Xq1ZV7x7+wzszVgG106ZzcUAzWvz2CVbCE
+VWZNsi/4TR82DmKff6LhAkBA/xceWaZjxh5dkWkIrMFWd2GFhGlpfwYw7oELwRL8
+RYXzc1Mr2fDdZDgwgjg67JQqIhOQ3E4RGKPgZ+E7Pk3/
+-----END RSA PRIVATE KEY-----

server/node_modules/cors-anywhere/test/setup.js

@@ -0,0 +1,103 @@
+var nock = require('nock');
+
+nock.enableNetConnect('127.0.0.1');
+
+function echoheaders(origin) {
+  nock(origin)
+    .persist()
+    .get('/echoheaders')
+    .reply(function(uri) {
+      var headers = this.req.headers;
+      var excluded_headers = [
+        'accept-encoding',
+        'user-agent',
+        'connection',
+        // Remove this header since its value is platform-specific.
+        'x-forwarded-for',
+        'test-include-xfwd',
+      ];
+      if (!('test-include-xfwd' in headers)) {
+        excluded_headers.push('x-forwarded-port');
+        excluded_headers.push('x-forwarded-proto');
+      }
+      var response = {};
+      Object.keys(headers).forEach(function(name) {
+        if (excluded_headers.indexOf(name) === -1) {
+          response[name] = headers[name];
+        }
+      });
+      return response;
+    });
+}
+
+nock('http://example.com')
+  .persist()
+  .get('/')
+  .reply(200, 'Response from example.com')
+
+  .post('/echopost')
+  .reply(200, function(uri, requestBody) {
+    return requestBody;
+  })
+
+  .get('/setcookie')
+  .reply(200, '', {
+    'Set-Cookie': 'x',
+    'Set-Cookie2': 'y',
+    'Set-Cookie3': 'z', // This is not a special cookie setting header.
+  })
+
+  .get('/redirecttarget')
+  .reply(200, 'redirect target', {
+    'Some header': 'value'
+  })
+
+  .head('/redirect')
+  .reply(302, '', {
+    'Location': '/redirecttarget'
+  })
+
+  .get('/redirect')
+  .reply(302, 'redirecting...', {
+    'header at redirect': 'should not be here',
+    'Location': '/redirecttarget'
+  })
+
+  .get('/redirectposttarget')
+  .reply(200, 'post target')
+
+  .post('/redirectposttarget')
+  .reply(200, 'post target (POST)')
+
+  .post('/redirectpost')
+  .reply(302, 'redirecting...', {
+    'Location': '/redirectposttarget'
+  })
+
+  .post('/redirect307')
+  .reply(307, 'redirecting...', {
+    'Location': '/redirectposttarget'
+  })
+
+  .get('/redirect2redirect')
+  .reply(302, 'redirecting to redirect...', {
+    'Location': '/redirect'
+  })
+
+  .get('/redirectloop')
+  .reply(302, 'redirecting ad infinitum...', {
+    'Location': '/redirectloop'
+  })
+
+  .get('/proxyerror')
+  .replyWithError('throw node')
+;
+
+echoheaders('http://example.com');
+echoheaders('http://example.com:1337');
+echoheaders('https://example.com');
+echoheaders('https://example.com:1337');
+
+nock('http://robots.txt')
+  .get('/')
+  .reply(200, 'this is http://robots.txt');

server/node_modules/cors-anywhere/test/test-memory.js

@@ -0,0 +1,110 @@
+// Run this specific test using:
+// npm test -- -f memory
+var http = require('http');
+var path = require('path');
+var url = require('url');
+var fork = require('child_process').fork;
+
+describe('memory usage', function() {
+  var cors_api_url;
+
+  var server;
+  var cors_anywhere_child;
+  before(function(done) {
+    server = http.createServer(function(req, res) {
+      res.writeHead(200);
+      res.end();
+    }).listen(0, function() {
+      done();
+    });
+  });
+
+  after(function(done) {
+    server.close(function() {
+      done();
+    });
+  });
+
+  beforeEach(function(done) {
+    var cors_module_path = path.join(__dirname, 'child');
+    var args = [];
+    // Uncomment this if you want to compare the performance of CORS Anywhere
+    // with the standard no-op http module.
+    // args.push('use-http-instead-of-cors-anywhere');
+    cors_anywhere_child = fork(cors_module_path, args, {
+      execArgv: ['--expose-gc'],
+    });
+    cors_anywhere_child.once('message', function(cors_url) {
+      cors_api_url = cors_url;
+      done();
+    });
+  });
+
+  afterEach(function() {
+    cors_anywhere_child.kill();
+  });
+
+  /**
+   * Perform N CORS Anywhere proxy requests to a simple test server.
+   *
+   * @param {number} n - number of repetitions.
+   * @param {number} requestSize - Approximate size of request in kilobytes.
+   * @param {number} memMax - Expected maximum memory usage in kilobytes.
+   * @param {function} done - Upon success, called without arguments.
+   *   Upon failure, called with the error as parameter.
+   */
+  function performNRequests(n, requestSize, memMax, done) {
+    var remaining = n;
+    var request = url.parse(
+        cors_api_url + 'http://127.0.0.1:' + server.address().port);
+    request.agent = false; // Force Connection: Close
+    request.headers = {
+      'Long header': new Array(requestSize * 1e3).join('x'),
+    };
+    (function requestAgain() {
+      if (remaining-- === 0) {
+        cors_anywhere_child.once('message', function(memory_usage_delta) {
+          console.log('Memory usage delta: ' + memory_usage_delta +
+              ' (' + n + ' requests of ' + requestSize + ' kb each)');
+          if (memory_usage_delta > memMax * 1e3) {
+            // Note: Even if this error is reached, always profile (e.g. using
+            // node-inspector) whether it is a true leak, and not e.g. noise
+            // caused by the implementation of V8/Node.js.
+            // Uncomment args.push('use-http-instead-of-cors-anywhere') at the
+            // fork() call to get a sense of what's normal.
+            throw new Error('Possible memory leak: ' + memory_usage_delta +
+                ' bytes was not released, which exceeds the ' + memMax +
+                ' kb limit by ' +
+                Math.round(memory_usage_delta / memMax / 10 - 100) + '%.');
+          }
+          done();
+        });
+        cors_anywhere_child.send(null);
+        return;
+      }
+      http.request(request, function() {
+        requestAgain();
+      }).on('error', function(error) {
+        done(error);
+      }).end();
+    })();
+  }
+
+  it('100 GET requests 50k', function(done) {
+    // This test is just for comparison with the following tests.
+    performNRequests(100, 50, 550, done);
+  });
+
+  // 100x 1k and 100x 50k for comparison.
+  // Both should use about the same amount of memory if there is no leak.
+  it('1000 GET requests 1k', function(done) {
+    // Every request should complete within 10ms.
+    this.timeout(1000 * 10);
+    performNRequests(1000, 1, 2000, done);
+  });
+  it('1000 GET requests 50k', function(done) {
+    // Every request should complete within 10ms.
+    this.timeout(1000 * 10);
+    performNRequests(1000, 50, 2000, done);
+  });
+});

server/node_modules/cors-anywhere/test/test.js

@@ -0,0 +1,435 @@
+require('./setup');
+
+var createServer = require('../').createServer;
+var request = require('supertest');
+var path = require('path');
+var fs = require('fs');
+var assert = require('assert');
+
+var helpTextPath = path.join(__dirname, '../lib/help.txt');
+var helpText = fs.readFileSync(helpTextPath, { encoding: 'utf8' });
+
+request.Test.prototype.expectJSON = function(json, done) {
+  this.expect(function(res) {
+    // Assume that the response can be parsed as JSON (otherwise it throws).
+    var actual = JSON.parse(res.text);
+    assert.deepEqual(actual, json);
+  });
+  return done ? this.end(done) : this;
+};
+
+request.Test.prototype.expectNoHeader = function(header, done) {
+  this.expect(function(res) {
+    if (header.toLowerCase() in res.headers) {
+      return 'Unexpected header in response: ' + header;
+    }
+  });
+  return done ? this.end(done) : this;
+};
+
+var cors_anywhere;
+var cors_anywhere_port;
+function stopServer(done) {
+  cors_anywhere.close(function() {
+    done();
+  });
+  cors_anywhere = null;
+}
+
+describe('Basic functionality', function() {
+  before(function() {
+    cors_anywhere = createServer();
+    cors_anywhere_port = cors_anywhere.listen(0).address().port;
+  });
+  after(stopServer);
+
+  it('GET /', function(done) {
+    request(cors_anywhere)
+      .get('/')
+      .type('text/plain')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect(200, helpText, done);
+  });
+
+  it('GET /iscorsneeded', function(done) {
+    request(cors_anywhere)
+      .get('/iscorsneeded')
+      .expectNoHeader('access-control-allow-origin', done);
+  });
+
+  it('GET /example.com:65536', function(done) {
+    request(cors_anywhere)
+      .get('/example.com:65536')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect(400, 'Port number too large: 65536', done);
+  });
+
+  it('GET /favicon.ico', function(done) {
+    request(cors_anywhere)
+      .get('/favicon.ico')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect(404, 'Invalid host: favicon.ico', done);
+  });
+
+  it('GET /robots.txt', function(done) {
+    request(cors_anywhere)
+      .get('/robots.txt')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect(404, 'Invalid host: robots.txt', done);
+  });
+
+  it('GET /http://robots.txt should be proxied', function(done) {
+    request(cors_anywhere)
+      .get('/http://robots.txt')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect(200, 'this is http://robots.txt', done);
+  });
+
+  it('GET /example.com', function(done) {
+    request(cors_anywhere)
+      .get('/example.com')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect('x-request-url', 'http://example.com/')
+      .expect(200, 'Response from example.com', done);
+  });
+
+  it('GET //example.com', function(done) {
+    // '/example.com' is an invalid URL.
+    request(cors_anywhere)
+      .get('//example.com')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect(200, helpText, done);
+  });
+
+  it('GET ///example.com', function(done) {
+    // API base URL (with trailing slash) + '//example.com'
+    request(cors_anywhere)
+      .get('///example.com')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect('x-request-url', 'http://example.com/')
+      .expect(200, 'Response from example.com', done);
+  });
+
+  it('GET /http://example.com', function(done) {
+    request(cors_anywhere)
+      .get('/http://example.com')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect('x-request-url', 'http://example.com/')
+      .expect(200, 'Response from example.com', done);
+  });
+
+  it('POST plain text', function(done) {
+    request(cors_anywhere)
+      .post('/example.com/echopost')
+      .send('{"this is a request body & should not be mangled":1.00}')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect('{"this is a request body & should not be mangled":1.00}', done);
+  });
+
+  it('POST file', function(done) {
+    request(cors_anywhere)
+      .post('/example.com/echopost')
+      .attach('file', path.join(__dirname, 'dummy.txt'))
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect(/\r\nContent-Disposition: form-data; name="file"; filename="dummy.txt"\r\nContent-Type: text\/plain\r\n\r\ndummy content\n\r\n/, done);
+  });
+
+  it('HEAD with redirect should be followed', function(done) {
+    // Redirects are automatically followed, because redirects are to be
+    // followed automatically per specification regardless of the HTTP verb.
+    request(cors_anywhere)
+      .head('/example.com/redirect')
+      .redirects(0)
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect('some header', 'value')
+      .expect('x-request-url', 'http://example.com/redirect')
+      .expect('x-cors-redirect-1', '302 http://example.com/redirecttarget')
+      .expect('x-final-url', 'http://example.com/redirecttarget')
+      .expect('access-control-expose-headers', /some header,x-final-url/)
+      .expectNoHeader('header at redirect')
+      .expect(200, '', done);
+  });
+
+  it('GET with redirect should be followed', function(done) {
+    request(cors_anywhere)
+      .get('/example.com/redirect')
+      .redirects(0)
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect('some header', 'value')
+      .expect('x-request-url', 'http://example.com/redirect')
+      .expect('x-cors-redirect-1', '302 http://example.com/redirecttarget')
+      .expect('x-final-url', 'http://example.com/redirecttarget')
+      .expect('access-control-expose-headers', /some header,x-final-url/)
+      .expectNoHeader('header at redirect')
+      .expect(200, 'redirect target', done);
+  });
+
+  it('GET with redirect loop should interrupt', function(done) {
+    request(cors_anywhere)
+      .get('/example.com/redirectloop')
+      .redirects(0)
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect('x-request-url', 'http://example.com/redirectloop')
+      .expect('x-cors-redirect-1', '302 http://example.com/redirectloop')
+      .expect('x-cors-redirect-2', '302 http://example.com/redirectloop')
+      .expect('x-cors-redirect-3', '302 http://example.com/redirectloop')
+      .expect('x-cors-redirect-4', '302 http://example.com/redirectloop')
+      .expect('x-cors-redirect-5', '302 http://example.com/redirectloop')
+      .expect('Location', /^http:\/\/127.0.0.1:\d+\/http:\/\/example.com\/redirectloop$/)
+      .expect(302, 'redirecting ad infinitum...', done);
+  });
+
+  it('POST with 302 redirect should be followed', function(done) {
+    request(cors_anywhere)
+      .post('/example.com/redirectpost')
+      .redirects(0)
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect('x-request-url', 'http://example.com/redirectpost')
+      .expect('x-cors-redirect-1', '302 http://example.com/redirectposttarget')
+      .expect('x-final-url', 'http://example.com/redirectposttarget')
+      .expect('access-control-expose-headers', /x-final-url/)
+      .expect(200, 'post target', done);
+  });
+
+  it('POST with 307 redirect should not be handled', function(done) {
+    // Because of implementation difficulties (having to keep the request body
+    // in memory), handling HTTP 307/308 redirects is deferred to the requestor.
+    request(cors_anywhere)
+      .post('/example.com/redirect307')
+      .redirects(0)
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect('x-request-url', 'http://example.com/redirect307')
+      .expect('Location', /^http:\/\/127.0.0.1:\d+\/http:\/\/example.com\/redirectposttarget$/)
+      .expect('x-final-url', 'http://example.com/redirect307')
+      .expect('access-control-expose-headers', /x-final-url/)
+      .expect(307, 'redirecting...', done);
+  });
+
+  it('OPTIONS /', function(done) {
+    request(cors_anywhere)
+      .options('/')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect(200, '', done);
+  });
+
+  it('OPTIONS / with Access-Control-Request-Method / -Headers', function(done) {
+    request(cors_anywhere)
+      .options('/')
+      .set('Access-Control-Request-Method', 'DELETE')
+      .set('Access-Control-Request-Headers', 'X-Tralala')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect('Access-Control-Allow-Methods', 'DELETE')
+      .expect('Access-Control-Allow-Headers', 'X-Tralala')
+      .expect(200, '', done);
+  });
+
+  it('OPTIONS //bogus', function(done) {
+    // The preflight request always succeeds, regardless of whether the request
+    // is valid.
+    request(cors_anywhere)
+      .options('//bogus')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect(200, '', done);
+  });
+
+  it('X-Forwarded-* headers', function(done) {
+    request(cors_anywhere)
+      .get('/example.com/echoheaders')
+      .set('test-include-xfwd', '')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expectJSON({
+        host: 'example.com',
+        'x-forwarded-port': String(cors_anywhere_port),
+        'x-forwarded-proto': 'http',
+      }, done);
+  });
+
+  it('X-Forwarded-* headers (non-standard port)', function(done) {
+    request(cors_anywhere)
+      .get('/example.com:1337/echoheaders')
+      .set('test-include-xfwd', '')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expectJSON({
+        host: 'example.com:1337',
+        'x-forwarded-port': String(cors_anywhere_port),
+        'x-forwarded-proto': 'http',
+      }, done);
+  });
+
+  it('X-Forwarded-* headers (https)', function(done) {
+    request(cors_anywhere)
+      .get('/https://example.com/echoheaders')
+      .set('test-include-xfwd', '')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expectJSON({
+        host: 'example.com',
+        'x-forwarded-port': String(cors_anywhere_port),
+        'x-forwarded-proto': 'http',
+      }, done);
+  });
+
+  it('Ignore cookies', function(done) {
+    request(cors_anywhere)
+      .get('/example.com/setcookie')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect('Set-Cookie3', 'z')
+      .expectNoHeader('set-cookie')
+      .expectNoHeader('set-cookie2', done);
+  });
+
+  it('Proxy error', function(done) {
+    request(cors_anywhere)
+      .get('/example.com/proxyerror')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect(404, 'Not found because of proxy error: Error: throw node', done);
+  });
+});
+
+describe('server on https', function() {
+  var NODE_TLS_REJECT_UNAUTHORIZED;
+  before(function() {
+    cors_anywhere = createServer({
+      httpsOptions: {
+        key: fs.readFileSync(path.join(__dirname, 'key.pem')),
+        cert: fs.readFileSync(path.join(__dirname, 'cert.pem')),
+      },
+    });
+    cors_anywhere_port = cors_anywhere.listen(0).address().port;
+    // Disable certificate validation in case the certificate expires.
+    NODE_TLS_REJECT_UNAUTHORIZED = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+    process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+  });
+  after(function(done) {
+    if (NODE_TLS_REJECT_UNAUTHORIZED === undefined) {
+      delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+    } else {
+      process.env.NODE_TLS_REJECT_UNAUTHORIZED = NODE_TLS_REJECT_UNAUTHORIZED;
+    }
+    stopServer(done);
+  });
+
+  it('X-Forwarded-* headers (http)', function(done) {
+    request(cors_anywhere)
+      .get('/example.com/echoheaders')
+      .set('test-include-xfwd', '')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expectJSON({
+        host: 'example.com',
+        'x-forwarded-port': String(cors_anywhere_port),
+        'x-forwarded-proto': 'https',
+      }, done);
+  });
+
+  it('X-Forwarded-* headers (https)', function(done) {
+    request(cors_anywhere)
+      .get('/https://example.com/echoheaders')
+      .set('test-include-xfwd', '')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expectJSON({
+        host: 'example.com',
+        'x-forwarded-port': String(cors_anywhere_port),
+        'x-forwarded-proto': 'https',
+      }, done);
+  });
+
+  it('X-Forwarded-* headers (https, non-standard port)', function(done) {
+    request(cors_anywhere)
+      .get('/https://example.com:1337/echoheaders')
+      .set('test-include-xfwd', '')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expectJSON({
+        host: 'example.com:1337',
+        'x-forwarded-port': String(cors_anywhere_port),
+        'x-forwarded-proto': 'https',
+      }, done);
+  });
+});
+
+describe('requireHeader', function() {
+  before(function() {
+    cors_anywhere = createServer({
+      requireHeader: ['origin', 'x-requested-with'],
+    });
+    cors_anywhere_port = cors_anywhere.listen(0).address().port;
+  });
+  after(stopServer);
+
+  it('GET /example.com without header', function(done) {
+    request(cors_anywhere)
+      .get('/example.com/')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect(400, 'Missing required request header. Must specify one of: origin,x-requested-with', done);
+  });
+
+  it('GET /example.com with X-Requested-With header', function(done) {
+    request(cors_anywhere)
+      .get('/example.com/')
+      .set('X-Requested-With', '')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect(200, done);
+  });
+
+  it('GET /example.com with Origin header', function(done) {
+    request(cors_anywhere)
+      .get('/example.com/')
+      .set('Origin', 'null')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect(200, done);
+  });
+});
+
+describe('removeHeaders', function() {
+  before(function() {
+    cors_anywhere = createServer({
+      removeHeaders: ['cookie', 'cookie2'],
+    });
+    cors_anywhere_port = cors_anywhere.listen(0).address().port;
+  });
+  after(stopServer);
+
+  it('GET /example.com with request cookie', function(done) {
+    request(cors_anywhere)
+      .get('/example.com/echoheaders')
+      .set('cookie', 'a')
+      .set('cookie2', 'b')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expectJSON({
+        host: 'example.com',
+      }, done);
+  });
+
+  it('GET /example.com with unknown header', function(done) {
+    request(cors_anywhere)
+      .get('/example.com/echoheaders')
+      .set('cookie', 'a')
+      .set('cookie2', 'b')
+      .set('cookie3', 'c')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expectJSON({
+        host: 'example.com',
+        cookie3: 'c',
+      }, done);
+  });
+});
+
+describe('httpProxyOptions.xfwd=false', function() {
+  before(function() {
+    cors_anywhere = createServer({
+      httpProxyOptions: {
+        xfwd: false
+      }
+    });
+    cors_anywhere_port = cors_anywhere.listen(0).address().port;
+  });
+  after(stopServer);
+
+  it('X-Forwarded-* headers should not be set', function(done) {
+    request(cors_anywhere)
+      .get('/example.com/echoheaders')
+      .set('test-include-xfwd', '')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expectJSON({
+        host: 'example.com',
+      }, done);
+  });
+});