Medium Security Header

Cross-Origin-Resource-Policy

Learn how CORP controls which origins can load your website's resources.

SiteSecurityScore Team·8 min read·Updated Feb 20, 2026

Cross-Origin-Resource-Policy (CORP) is a security header that controls which origins can load your website's resources. This policy helps prevent data exfiltration and provides fine-grained control over resource sharing.

What is Cross-Origin-Resource-Policy?#

Cross-Origin-Resource-Policy (CORP) is a security header that you set on your server's responses to control which websites are allowed to load your resources. Two URLs are 'cross-origin' when they differ in protocol, domain, or port. Think of CORP as a permission slip on each file your server sends: it tells the browser whether other websites (other origins) are allowed to use that image, script, or stylesheet. Without CORP, any website can embed your images, load your scripts, or read your data. CORP is the counterpart to COEP: while COEP is set by the page loading resources, CORP is set by the server providing those resources.

  • CORP tells browsers who is allowed to load a specific resource from your server
  • Without CORP, any website can embed your images, scripts, and other files
  • CORP is required when another site uses Cross-Origin-Embedder-Policy (COEP) with require-corp
  • The header is set per-response, giving you fine-grained control over each resource

Why CORP Matters#

By default, browsers allow any website to include your images, embed your scripts, and load your resources. While this is often intended (you want your CDN resources to be accessible), it can also be exploited. Attackers can include your resources on their pages to extract information through side-channel attacks or to abuse your server's bandwidth and resources.

  • Prevents unauthorized sites from hotlinking your images and using your bandwidth
  • Blocks Spectre-style attacks that could read your resource data through timing analysis
  • Works with COEP to enable cross-origin isolation on consuming pages
  • Gives resource owners explicit control over who can load their content
The COEP Connection

When a website enables COEP with require-corp, every cross-origin resource it loads must have a CORP header granting permission. If you host resources that other sites need to use (like a CDN), you need to set CORP: cross-origin on those resources.

CORP Values Explained#

CORP offers three values that control the scope of access to your resources. Choose based on who needs to load each resource.

  • same-origin: Only your own website (exact same protocol + domain + port) can load the resource. Use for private assets like internal API responses or authenticated user data.
  • same-site: Any subdomain of your site can load the resource. For example, both www.example.com and cdn.example.com could share resources. Use for CDN assets served from a subdomain.
  • cross-origin: Any website can load the resource. Use for public assets like open-source libraries, public images, or resources intentionally shared with the web.
MDN: Cross-Origin-Resource-Policy

Implementation Guide#

Set CORP on your server responses based on who should be able to load each resource. You can apply different values to different endpoints or file types.

Configuration
# Apache - restrict to same origin Header always set Cross-Origin-Resource-Policy "same-origin" # Nginx - allow cross-origin for public assets location /public/ { add_header Cross-Origin-Resource-Policy "cross-origin" always; } location /api/ { add_header Cross-Origin-Resource-Policy "same-origin" always; } # Node.js / Express - per-route configuration app.use('/api', (req, res, next) => { res.setHeader('Cross-Origin-Resource-Policy', 'same-origin'); next(); }); app.use('/public', (req, res, next) => { res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin'); next(); });

Best Practices#

Apply CORP strategically based on the sensitivity and intended audience of each resource.

  • Use same-origin for API responses and authenticated content to prevent data leakage
  • Use same-site for resources shared between your subdomains (CDN assets, shared libraries)
  • Use cross-origin only for genuinely public resources meant to be loaded by any website
  • Apply CORP per-route or per-directory rather than a single policy for your whole site
  • If you run a CDN or public API, set cross-origin so sites using COEP can still load your resources
  • Test with COEP-enabled pages to verify your CORP settings allow intended access
web.dev: Cross-origin isolation guide

Implementation Examples#

Same Origin Only

Cross-Origin-Resource-Policy: same-origin

Only allows resources to be loaded by the same origin

Explanation: This is the most restrictive option. Only the same origin can load your resources.

Same Site

Cross-Origin-Resource-Policy: same-site

Allows resources to be loaded by the same site

Explanation: This allows subdomains to load your resources while blocking other sites.

Cross Origin

Cross-Origin-Resource-Policy: cross-origin

Allows any origin to load resources

Explanation: This is the least restrictive option and provides no additional security.

Key Directives#

same-origin

Only allows resources to be loaded by the same origin

same-origin

same-site

Allows resources to be loaded by the same site

same-site

cross-origin

Allows any origin to load resources

cross-origin

References#

Cross-Origin-Resource-Policy(MDN Web Docs)Making your website cross-origin isolated(web.dev)
Was this helpful?
Share

Test Your Cross-Origin-Resource-Policy Configuration

Scan your site to check if Cross-Origin-Resource-Policy is properly configured.

Scan Your WebsiteAdvanced Security Headers Guide