v3 #832

New issue

Closed

opened 2026-02-25 23:43:44 +03:00 by kerem · 1 comment

kerem commented

2026-02-25 23:43:44 +03:00

Owner

Originally created by @musa11971 on GitHub (Nov 28, 2025).
Original GitHub issue: https://github.com/healthchecks/healthchecks/issues/1234

I am trying to retrieve the status of a check in the browser (front-end). I have a static blog, so proxying it through a server is not an option. The check information is not sensitive, so I feel like this should be allowed? The API key used is read-only. Would like to hear your thoughts.

JavaScript example:

// Runs in the user's browser
document.addEventListener("DOMContentLoaded", async function () {
    const uniqueKey = "0ac43e3e0192f79f226b1eff1f15e520ce682e1f";

    await fetch("https://healthchecks.io/api/v3/checks/" + uniqueKey, {
        method: "GET",
        headers: {
            "Content-Type": "application/json",
            "X-Api-Key": "my_readonly_api_key"
        }
    })
        .then(r => r.json())
        .then(console.log);
});

⚠️ Access to fetch at 'https://healthchecks.io/api/v3/checks/0ac43e3e0192f79f226b1eff1f15e520ce682e1f' from origin 'http://localhost:1313' has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.

Dirty workaround

Not a big fan of this, but cors-anywhere could be used to bypass it for this specific call.

await fetch("https://cors-anywhere.my-heroku-app.com/https://healthchecks.io/api/v3/checks/" + uniqueKey, { // ...

Originally created by @musa11971 on GitHub (Nov 28, 2025). Original GitHub issue: https://github.com/healthchecks/healthchecks/issues/1234 I am trying to retrieve the status of a check in the browser (front-end). I have a static blog, so proxying it through a server is not an option. The check information is not sensitive, so I feel like this should be allowed? The API key used is read-only. Would like to hear your thoughts. JavaScript example: ```js // Runs in the user's browser document.addEventListener("DOMContentLoaded", async function () { const uniqueKey = "0ac43e3e0192f79f226b1eff1f15e520ce682e1f"; await fetch("https://healthchecks.io/api/v3/checks/" + uniqueKey, { method: "GET", headers: { "Content-Type": "application/json", "X-Api-Key": "my_readonly_api_key" } }) .then(r => r.json()) .then(console.log); }); ``` > ⚠️ **Access to fetch at 'https://healthchecks.io/api/v3/checks/0ac43e3e0192f79f226b1eff1f15e520ce682e1f' from origin 'http://localhost:1313' has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.** ### Dirty workaround Not a big fan of this, but [`cors-anywhere`](https://github.com/Rob--W/cors-anywhere) could be used to bypass it for this specific call. ```js await fetch("https://cors-anywhere.my-heroku-app.com/https://healthchecks.io/api/v3/checks/" + uniqueKey, { // ... ```