← Back to Security Headers

Cross-Origin-Resource-Policy

Prevents other sites from loading your resources.

CORP

Purpose

Protects against certain types of attacks like Spectre by controlling resource sharing.

Implementation

Set to same-origin, same-site, or cross-origin:

```
Cross-Origin-Resource-Policy: same-origin
```

Examples

  • same-origin
  • same-site
  • cross-origin

Best Practices

  • Use same-origin for maximum protection
  • Use same-site if you need subdomain sharing
  • Coordinate with CORS headers

Common Mistakes

  • Not setting the header
  • Breaking legitimate resource sharing
  • Conflicting with CORS configuration

Related Headers

Cross-Origin-Opener-PolicyCross-Origin-Embedder-Policy

References

Test Your Configuration

Run a free security scan to check if CORP is properly configured on your site.