Security headers · Check
Cross-Origin-Resource-Policy permissive — narrowing cross-origin loads
Cross-Origin-Resource-Policy (CORP) tells browsers which origins may embed a given resource. Setting `same-origin` (or `same-site`) blocks unrelated sites from including your scripts and images in their pages, which is a useful defense-in-depth alongside CSP `frame-ancestors`.
Real-world risk
Cross-origin embedding is broadly allowed; this is often fine for public assets but risky for HTML or API responses that should stay origin-bound.
Fix steps (in order)
- If this response should not be loaded cross-origin, use Cross-Origin-Resource-Policy: same-origin or same-site.
- If intentional (public CDN asset), document why; no change required.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (corp_cross_origin) clears once the externally-observable signal is in place.