Cross-Origin Isolation Headers Not Configured
One or more cross-origin isolation headers (COOP, COEP, CORP) are not set. These headers provide defense-in-depth but are only required if your site uses features like SharedArrayBuffer or needs strict cross-origin isolation.
Use this article when
- You need deeper remediation guidance than the issue card can show.
- You want CMS-specific steps before handing the fix to a developer.
- You want a repeatable re-check path after shipping the change.
What this issue is
One or more cross-origin isolation headers (COOP, COEP, CORP) are not set. These headers provide defense-in-depth but are only required if your site uses features like SharedArrayBuffer or needs strict cross-origin isolation.
Why it matters
One or more cross-origin isolation headers (COOP, COEP, CORP) are not set. These headers provide defense-in-depth but are only required if your site uses features like SharedArrayBuffer or needs strict cross-origin isolation. This affects browser trust signals and whether visitors feel safe submitting contact details.
How we detect it
- FreeSiteAudit flags this issue when the rule for SEC-CROSS-ORIGIN-ISOLATION-001 fails and the page evidence points to Http headers.
- You can usually confirm this by checking the page source or the relevant page settings inside your CMS.
Evidence examples
How to fix it
- 1Add Cross-Origin-Opener-Policy: same-origin header (test popup-based OAuth flows first)
- 2Add Cross-Origin-Embedder-Policy: require-corp header
- 3Add Cross-Origin-Resource-Policy: same-origin or same-site header
How to re-check it
- Confirm all three cross-origin headers are present in response headers
Related tools
This issue is best verified with the full FreeSiteAudit crawl rather than a single-point mini tool.