Skip to content
Skip to content
API Pricing RU Sign In
← All HTTP Headers
Security

Cross-Origin-Resource-Policy

Restricts which origins can load a resource, preventing unauthorized cross-origin reads.

Syntax

Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin

Example

Cross-Origin-Resource-Policy: same-origin

Description

Cross-Origin-Resource-Policy (CORP) tells the browser which origins can include the resource. Prevents cross-origin data leaks.

Values: same-site, same-origin, cross-origin.

Important for resources with sensitive data — without it, any website could embed your resources and extract information via side-channel attacks.

Check if your website sends this header correctly

Check your headers →

Related Articles

Security Headers: The Complete Guide
Complete guide to HTTP security headers: CSP, HSTS, X-Frame-Options, Permissions-Policy, CORP, COEP. Configuration and examples.

Related Headers

Content-Security-Policy
Controls which resources the browser is allowed to load for a page, helping prevent XSS and data injection attacks.
Cross-Origin-Opener-Policy
Isolates the browsing context to prevent cross-origin attacks like Spectre from accessing sensitive data.
Permissions-Policy
Controls which browser features and APIs can be used on the page, such as camera, microphone, and geolocation.
Referrer-Policy
Controls how much referrer information is included with requests, balancing privacy with analytics needs.
Strict-Transport-Security
Instructs browsers to only access the site via HTTPS, protecting against protocol downgrade attacks and cookie hijacking.
X-Content-Type-Options
Prevents browsers from MIME-sniffing the content type, reducing the risk of drive-by downloads and XSS attacks.

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation