Cross-Origin-Resource-Policy (CORP) Header Explained
Cross-Origin-Resource-Policy (CORP) is an HTTP response header that prevents other websites from loading your resources (images, scripts, fonts) in their pages. Setting it to same-origin or same-site blocks unauthorized hotlinking and prevents your resources from being used in Spectre-type side-channel attacks.
Recommended Value
Cross-Origin-Resource-Policy: same-originWhat Each Directive Does
| Directive | Purpose |
|---|---|
same-origin | Only pages from the same origin can load this resource |
same-site | Pages from the same site (same eTLD+1) can load this resource |
cross-origin | Any origin can load this resource (equivalent to no protection) |
What Happens Without This Header
Without CORP, any website can embed your images, scripts, and API responses. This enables hotlinking (bandwidth theft), data exfiltration if your resources contain sensitive data, and Spectre-type attacks that can read the content of cross-origin resources loaded into the attacker's process.
How to Implement
# Nginx — for API/private resources
add_header Cross-Origin-Resource-Policy "same-origin" always;
# Nginx — for public CDN assets
add_header Cross-Origin-Resource-Policy "cross-origin" always;
# Express.js
app.use('/api', (req, res, next) => {
res.setHeader('Cross-Origin-Resource-Policy', 'same-origin');
next();
});Testing and Report-Only
CORP does not have a report-only mode. Apply same-origin to private resources and API endpoints. Use cross-origin for public assets that legitimately need to be embedded by third parties (CDN assets, public images).
Related Questions
Scan your system prompt with LochBot — free, client-side, no data sent anywhere.