HomeFix guides → Cross-Origin policies (COOP / COEP / CORP)

security

How to fix: Cross-Origin policies (COOP / COEP / CORP)

OWASP A05

Why this matters

The cross-origin isolation trio — Cross-Origin-Resource-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Embedder-Policy — together protect against Spectre-class CPU side-channel attacks by isolating the browsing context from cross-origin resources. Required for SharedArrayBuffer and high-precision timers; recommended baseline for all sensitive apps.

Background

The Cross-Origin Isolation trio (CORP, COOP, COEP) defends against Spectre-class CPU side-channel attacks by isolating the page's browsing context. CORP prevents OTHER origins from embedding your resources; COOP isolates window groups; COEP requires every subresource to opt-in.

References

MDN · Cross-Origin-Resource-Policy · Cross-Origin-Opener-Policy · Cross-Origin-Embedder-Policy

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Embedder-Policy "require-corp" always;
apache
Header always set Cross-Origin-Resource-Policy "same-origin"
Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Embedder-Policy "require-corp"
cloudflare
Transform Rules → Modify Response Header → set all three.
wordpress
WP Headers Security Advanced plugin OR add via functions.php: add_action('send_headers', fn() => { header('Cross-Origin-Resource-Policy: same-origin'); ... });
flask
@app.after_request: resp.headers.setdefault('Cross-Origin-Resource-Policy', 'same-origin')
express
app.use(helmet.crossOriginResourcePolicy()) + crossOriginOpenerPolicy + crossOriginEmbedderPolicy
rails
SecureHeaders::Configuration.default { |c| c.cross_origin_resource_policy = 'same-origin' }

Verify it's working

curl -sI https://your-site/ | grep -iE 'cross-origin-(resource|opener|embedder)-policy'

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →