Skip to main content
GET
/
api
/
proxy
GET /api/proxy
curl --request GET \
  --url https://vyla-api.pages.dev/api/proxy
{
  "error": "<string>"
}
Proxies any URL through Cloudflare Workers. Handles CORS, injects required Referer and Origin headers, and rewrites m3u8 playlists so all segment URLs are also proxied automatically — the entire HLS stream plays without CORS issues in any browser player. Also accepts HEAD requests for live source checking.

Query Parameters

url
string
required
URL-encoded target URL to proxy.
headers
string
Base64-encoded JSON object of additional request headers. Used to forward Referer, Origin, or any other header required by the CDN.
const headers = { Referer: "https://vixsrc.to/", Origin: "https://vixsrc.to" };
const encoded = btoa(JSON.stringify(headers));
// &headers=eyJSZWZlcmVyIjoiaHR0cHM6...

Example Request

curl "https://vyla-api.pages.dev/api/proxy?url=https%3A%2F%2Fexample.com%2Fvideo.mp4"

M3U8 Rewriting

When the proxied URL returns an m3u8 playlist, all segment and variant URLs inside it are automatically rewritten to also go through /api/proxy. This ensures the entire HLS stream plays without CORS issues. 
Original segment:  https://cdn.example.com/seg001.ts
Rewritten segment: https://vyla-api.pages.dev/api/proxy?url=https%3A%2F%2Fcdn.example.com%2Fseg001.ts
If the original request included a headers param, it is preserved and forwarded for every rewritten segment URL automatically.

Automatic Header Injection

For known providers, the proxy injects the correct headers even without the headers param:
DomainAuto-injected headers
tripplestream.online, hlmv-filesReferer: https://www.rgshows.ru, Origin: https://www.rgshows.ru
Any other URLReferer and Origin set to the URL’s own origin

Encoding Headers

const headers = { Referer: "https://vixsrc.to/", Origin: "https://vixsrc.to" };
const encoded = btoa(JSON.stringify(headers));
// eyJSZWZlcmVyIjoiaHR0cHM6Ly92aXhzcmMudG8vIiwiT3JpZ2luIjoiaHR0cHM6Ly92aXhzcmMudG8ifQ==
// Pass as: &headers=eyJSZWZlcmVy...

Security — SSRF Protection

Private IP ranges and localhost are blocked:
  • 127.0.0.1, ::1, 0.0.0.0
  • 10.x.x.x, 192.168.x.x, 172.16–31.x.x
  • .internal, .local domains
  • 169.254.169.254 (GCP metadata endpoint)

Response

On success, the proxy streams the upstream response body directly with appropriate CORS headers. No JSON envelope. On error, a JSON object is returned:
error
string
Description of the failure.
The upstream response body is streamed directly. Content-Type, Content-Length, and other relevant headers are forwarded. CORS headers are added.
The proxy is used internally by /api/player — all stream and subtitle URLs served to the player are already routed through /api/proxy.
The vlc_url field returned by /api/stream/movie and /api/stream/tv is a pre-built proxy URL — pass it directly to VLC or any URL-capable player without additional encoding.