I Discovered a Public API That Allows CORS and Built a Business Around It Last week, I stumbled onto something that completely changed how I think about API infrastructure. I was debugging a frontend project and noticed something strange in the browser network tab. A request to DeepSeek API was returning data directly — no server, no proxy, no backend. Just pure JavaScript fetch() from localhost hitting an external API endpoint. My first reaction was: This cannot be right. This is a security vulnerability. But then I started digging deeper. The Discovery That Started Everything For years, I have been building API proxies. Want to call OpenAI from a React app? You need a backend. Want to query Anthropic? Serverless function. Calling any major LLM provider from the browser has always required some form of server-side intermediary. Why? CORS (Cross-Origin Resource Sharing). Browsers block cross-origin requests by default.…