Skip to main content
SecScannerSecScanner
Security ChecksFree ToolsPricingBlog
Get Started
Sign InGet Started
All Security Checks
HeadersMedium PriorityPro

Cross-Origin-Embedder-Policy

Cross-Origin-Embedder-Policy (COEP) is an HTTP security header that controls which cross-origin resources a document is allowed to load. When set to require-corp, it requires that all cross-origin resources explicitly opt in via the Cross-Origin-Resource-Policy (CORP) header or CORS. Together with Cross-Origin-Opener-Policy (COOP), COEP enables a security state called cross-origin isolation.

Why It Matters

COEP and COOP together enable cross-origin isolation, which protects your page from Spectre-type CPU side-channel attacks. These attacks exploit speculative execution in modern CPUs to read memory across process boundaries — potentially leaking sensitive data from other browser tabs or extensions. Without cross-origin isolation, browsers intentionally reduce the precision of timers like performance.now() and disable SharedArrayBuffer to prevent Spectre exploitation. If your application needs high-resolution timers or SharedArrayBuffer (common in WebAssembly workloads, video processing, or audio apps), you must achieve cross-origin isolation by deploying both COEP and COOP headers.

How We Check

We analyze your HTTP response headers for the Cross-Origin-Embedder-Policy header and verify its value is either require-corp (strict: all cross-origin resources must have CORP headers) or credentialless (more permissive: cross-origin requests are sent without credentials). We also check for consistency with your Cross-Origin-Opener-Policy header to confirm your site achieves full cross-origin isolation, which requires both headers set correctly.

How to Fix

Add the COEP header to your server responses alongside COOP:

Option 1: require-corp (strictest isolation) Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin

With require-corp, every cross-origin resource (scripts, images, fonts, iframes) must include one of:

  • Cross-Origin-Resource-Policy: cross-origin
  • CORS headers: Access-Control-Allow-Origin

Option 2: credentialless (easier to adopt) Cross-Origin-Embedder-Policy: credentialless Cross-Origin-Opener-Policy: same-origin

With credentialless, cross-origin requests are sent without cookies or credentials, so most third-party resources load without changes.

Testing before enabling: Use report-only mode to identify incompatible resources without breaking your site: Cross-Origin-Embedder-Policy-Report-Only: require-corp; report-to="default"

Check browser DevTools > Application > Cross-Origin Isolation to verify your isolation status after deployment.

Related Security Checks

Headers

Cross-Origin-Resource-Policy

Headers

Cross-Origin-Opener-Policy

Check Your Website Now

Run a free security scan to check for Cross-Origin-Embedder-Policy issues and 58+ other security vulnerabilities.

Scan Your Website Free

Product

  • Security Checks
  • Free Tools
  • SSL Checker
  • Vulnerability Scanner
  • Email Security
  • Pricing
  • Compliance
  • Security Reports

Popular Checks

  • CSP Check
  • HSTS Check
  • TLS Version Check
  • SSL Expiry Check
  • SPF/DKIM/DMARC Check
  • Cookie Security Check
  • JS Vulnerability Scan
  • OCSP Stapling Check

Resources

  • Blog
  • Glossary
  • Contact

Legal

  • Terms of Use
  • Privacy Policy
  • Refund Policy
  • Cookie Policy

© 2025-2026 SecScanner. All rights reserved.