← Back to Security Headers

Cross-Origin-Embedder-Policy

Requires resources to explicitly opt-in to being embedded.

COEP

Purpose

Enables powerful features like SharedArrayBuffer by isolating your site.

Implementation

Set to require-corp or credentialless:

```
Cross-Origin-Embedder-Policy: require-corp
```

Examples

  • require-corp
  • credentialless
  • unsafe-none

Best Practices

  • Use require-corp for maximum security
  • Coordinate with CORP headers
  • Test all embedded resources

Common Mistakes

  • Not setting the header
  • Breaking third-party embeds
  • Missing CORP headers on resources

Related Headers

Cross-Origin-Opener-PolicyCross-Origin-Resource-Policy

References

Test Your Configuration

Run a free security scan to check if COEP is properly configured on your site.