A privacy-focused, self-hosted (THIS IS NOT SUPPOSED TO BE USED IN non-LOCAL ENVIRONMENTS) metasearch front-end. SearchBird is a single-page
UI (index.html) served by a small Node proxy (proxy.js) that fronts the
You.com API (plus Wikipedia and image search), with first-class support for Tor
and multi-account identity partitioning.
For personal and educational use. Respect the terms of service of every upstream provider (You.com(https://you.com/terms), Bing(https://www.microsoft.com/en-us/bing/apis/grounding-legal), DuckDuckGo(https://duckduckgo.com/terms), Wikipedia(https://foundation.wikimedia.org/wiki/Policy:Terms_of_Use), etc.). See Legal / disclaimer.
- Local-only proxy — serves the UI at
http://127.0.0.1:8787(configurable). - Identity-partitioning key rotation — rotates across multiple You.com API keys so no single account accumulates a complete profile of your searches.
- Tor stream isolation — optional, with a fresh Tor circuit per request (random SOCKS isolation) so requests aren't correlated to one exit.
- Token-gated endpoints — every proxy route requires a session token (timing-safe comparison).
- SSRF-hardened thumbnail proxy — blocks loopback, private, link-local,
IPv6 (
::1, ULA, IPv4-mapped) and cloud-metadata targets. - Wikipedia + image search built in.
- Node.js 18+
- One or more You.com API keys
- (Optional, for Tor) a running Tor daemon with a SOCKS proxy on
127.0.0.1:9050, plus thesocks-proxy-agentpackage (npm install socks-proxy-agent). Without it, Tor is simply disabled.
cp config.example.json config.json # then add your real key(s)
node proxy.js # or: npm startOpen http://127.0.0.1:8787. The local server injects the session token into the page automatically.
If no real key is configured, the server exits with a clear message instead of starting with a placeholder.
| Variable | Default | Purpose |
|---|---|---|
SEARCHBIRD_HOST |
127.0.0.1 |
Bind address |
SEARCHBIRD_PORT |
8787 |
Port |
SEARCHBIRD_TOKEN |
random each run | Pin the session token (optional) |
config.json(git-ignored) — your You.com API key(s). Copy it fromconfig.example.json.- Private Settings menu (in the UI) — password-protected; stores keys and Tor
toggles under
.private_config/(git-ignored), and enables per-key rotation.
Nothing sensitive is committed: .gitignore excludes config.json,
.private_config/, and logs.
The goal of the project is not invisibility, since nobody is truly unprofilable online, but to make correlation expensive:
- Identity partitioning. Each You.com account is a separate profile bucket. Spreading queries across several independently-created accounts means no single account ever sees a complete picture of your interests. The accounts only stay unlinked if they were created independently (different networks/devices at signup) — the key rotation can't fix linkage that happened at registration.
- Tor stream isolation. When enabled, each request goes out on its own Tor circuit (random SOCKS username → separate exit), so upstream traffic isn't trivially correlated to a single IP/exit.
- Blend in. Pair this with a stock, RFP-enabled browser (e.g. Tor Browser or Mull) rather than a heavily customized one because a rare fingerprint is more identifying, not less.
- All
/v1,/images,/wiki,/thumb, and/private-settingsroutes are token-gated with a timing-safe comparison. - The thumbnail proxy validates the target URL against an SSRF blocklist (loopback / private / link-local / IPv6 / IPv4-mapped / metadata).
- Request bodies are size-limited.
Found a security issue? Please open an issue (or a private advisory).
This software is provided for personal and educational use, without warranty. Multi-account creation and automated API-key rotation may violate the terms of service of the upstream providers. You are solely responsible for how you use it and for complying with all applicable terms and laws.
GPL-3.0-or-later. See LICENSE.
Please note that this whole project is not yet finished and tests are not yet fully done. Using this product in a production environment is not recommended. You must use this with strong password and encryption, if you are using this in a local environment. Any liability for the use of this product is disclaimed. If you use this product in a production environment, you do so at your own risk.
Please publish issues if you can so that I can improve the product. And if you find any bug send them to neon.cruelness718@passinbox.com. I dont yet have a bug tracker set up.