securityheaders.fyi
Cross-origin isolation

Cross-Origin-Embedder-Policy

Build a config with this header →

COEP makes your document refuse to load cross-origin resources unless they explicitly grant permission (via CORP or CORS). require-corp enforces this; credentialless is a lighter variant that loads no-CORS resources without credentials. Combined with COOP same-origin, it unlocks crossOriginIsolated. It can break third-party embeds that don't send the right headers, so it's off by default here — enable deliberately. MDN

Example

Cross-Origin-Embedder-Policy: require-corp

Options

OptionTypeDefaultNotes
value select (require-corp / credentialless / unsafe-none) require-corp

Scoring

Contributes up to 2 points to your grade (a bonus header — not required for an A+).

Full specification on MDN ↗