Security Vulnerabilities Guide

Understanding and fixing common web security vulnerabilities detected by VitaPulse

Low

Cross-Origin-Resource-Policy (CORP)

Controls which origins can load your resources (images, scripts, etc.), preventing unauthorized cross-origin reads.

Risk

Without CORP, any website can embed your resources (images, scripts, API responses). This enables data theft through side-channel attacks (Spectre) and allows unauthorized sites to hotlink your content, consuming your bandwidth and potentially exposing private resources.

Solution

Set Cross-Origin-Resource-Policy to restrict who can load your resources. Use 'same-origin' for private resources, 'same-site' for subdomains, or 'cross-origin' for public CDN resources.

Example

Cross-Origin-Resource-Policy: same-origin

MDN - Cross-Origin-Resource-Policy

Comments (0)

No messages yet.