Cross-Origin-Resource-Policy

CORP lets a resource declare who is allowed to embed it, blocking cross-origin reads that fuel side-channel attacks (Spectre) and resource theft. same-origin allows only your own origin; same-site allows your whole site; cross-origin permits anyone (use for public assets like fonts or a CDN). Apply same-origin to sensitive responses. MDN

Example

Cross-Origin-Resource-Policy: same-origin

Options

Option	Type	Default	Notes
value	select (same-origin / same-site / cross-origin)	same-origin

Scoring

Contributes up to 2 points to your grade (a bonus header — not required for an A+).

Full specification on MDN ↗