IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. HTTP Security Headers
  3. Cross-Origin-Resource-Policy

HTTP security header

Cross-Origin-Resource-Policy

Cross-Origin-Resource-Policy (CORP) lets a resource declare that only same-origin or same-site documents may load it, helping defend against cross-origin information leaks such as Spectre-style side channels and unauthorized embedding.

Example

Cross-Origin-Resource-Policy: same-origin

Configuration guidance

  • Use same-origin or same-site for sensitive resources.
  • Combine with COOP and COEP for cross-origin isolation.

Related headers

Cross-Origin-Opener-PolicyContent-Security-Policy
MDN: CORP

Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.

Test my app
← All security headers
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub