securityheaders.fyi
Legacy & misc

X-Permitted-Cross-Domain-Policies

Build a config with this header →

This header controls whether Adobe clients (historically Flash and Acrobat) may load a cross-domain policy file from your site to make cross-origin requests. none forbids all such policies. Flash is dead, but the header is cheap, widely scanned for, and still relevant to some PDF/legacy clients — so most hardened configs set none. MDN

Example

X-Permitted-Cross-Domain-Policies: none

Options

OptionTypeDefaultNotes
value select (none / master-only / by-content-type) none

Scoring

Contributes up to 1 point to your grade (a bonus header — not required for an A+).

Full specification on MDN ↗