The PAC file
reference you need.
Every function, return value, best practices, security guide, WPAD, testing tools, and a live in-browser tester — all in one place.
About this site
Why this page exists.
findproxyforurl.com was for years the go-to reference for anyone writing or debugging PAC files — a clean, no-frills page that documented every helper function with working examples. When it went offline, it left a real gap: most alternative documentation is scattered across MDN, MSDN knowledge-base articles, and decade-old forum threads.
This site was built to fill that gap. It covers everything findproxyforurl.com did — and more: best practices, security considerations, WPAD auto-discovery, performance guidance, testing workflows, and an in-browser PAC tester. It's open-source and community-maintained.
Found an error or want to contribute? Open a pull request on GitHub.
What is a PAC file?
A plain-text JavaScript file that tells browsers which proxy to use, per request.
A Proxy Auto-Configuration (PAC) file contains exactly one JavaScript function:
FindProxyForURL(url, host). Browsers call this function for every outbound
request. Your function inspects the URL and hostname and returns a string telling the browser what to do.
PAC files were introduced by Netscape in 1996 and remain broadly supported across all major browsers and
operating systems today.
| Parameter | Type | Description |
|---|---|---|
| url | string | The full URL being requested. For HTTPS, the path and query are stripped — only scheme + host + port are available. This is a known browser security restriction. |
| host | string | The hostname extracted from the URL. Port numbers are removed. Identical to the host portion of the URL. |
window, fetch, XMLHttpRequest, localStorage,
setTimeout) are unavailable. Only the built-in PAC helper functions listed on this page work.
Quick start
A solid production template to build from.
function FindProxyForURL(url, host) { // 1. Bypass proxy for plain (unqualified) hostnames if (isPlainHostName(host)) { return "DIRECT"; } // 2. Bypass for internal corporate domains if ( dnsDomainIs(host, ".corp.internal") || dnsDomainIs(host, ".corp.com")) { return "DIRECT"; } // 3. Bypass for RFC1918 private ranges — resolve once, reuse var ip = dnsResolve(host); if (ip && ( isInNet(ip, "10.0.0.0", "255.0.0.0") || isInNet(ip, "172.16.0.0", "255.240.0.0") || isInNet(ip, "192.168.0.0", "255.255.0.0") || isInNet(ip, "127.0.0.0", "255.0.0.0"))) { return "DIRECT"; } // 4. Everything else: primary proxy → fallback proxy → direct return "PROXY proxy1.corp.com:8080; PROXY proxy2.corp.com:8080; DIRECT"; }
Return values
Strings returned by FindProxyForURL control how each request is routed.
Proxy chaining & fallback
Multiple directives in a return string create an ordered fallback chain.
When you return multiple directives separated by semicolons, the browser tries them strictly left to right, in the order written. It only moves to the next directive if the current one is unreachable or times out — it does not load-balance across them automatically.
return "PROXY primary.corp.com:8080; PROXY backup.corp.com:8080; DIRECT"; // ↑ tried first ↑ tried if primary fails ↑ last resort
- The browser connects to primary.corp.com:8080 first. If it responds, all traffic goes through it.
- If
primaryis unreachable or times out, the browser automatically retries via backup.corp.com:8080. DIRECTat the end means if both proxies fail, the browser will attempt a direct connection as a last resort. OmitDIRECTif you never want requests to bypass the proxy.- Proxy failover adds latency — the browser must wait for a connection timeout before trying the next entry. Keep fallback chains short and use reliable primary proxies.