Cross-Origin-Embedder-Policy configured

ab-002437 · security-headers-ii.cross-origin-isolation.coep-configured

Severity: mediumactive

Why it matters

Without Cross-Origin-Embedder-Policy, the browser cannot verify that cross-origin resources embedded in your page have opted into being loaded, leaving side-channel data leaks open via timing attacks on resource loading behavior. COEP is also the gate for SharedArrayBuffer and performance.measureUserAgentSpecificMemory() — both blocked by default until cross-origin isolation is established. CWE-1021 applies to cross-origin resource embedding without explicit consent. OWASP A05 identifies missing cross-origin isolation headers as a hardening gap for apps processing sensitive data.

Severity rationale

Medium because COEP is required for full cross-origin isolation and `SharedArrayBuffer` access, and its absence represents an incomplete security posture even when COOP is configured.

Remediation

Set Cross-Origin-Embedder-Policy in next.config.js. Start with credentialless for compatibility — it allows CDN images and fonts without requiring them to set CORP headers.

// next.config.js
headers: [{
  source: '/(.*)',
  headers: [{
    key: 'Cross-Origin-Embedder-Policy',
    value: 'credentialless'
  }]
}]

Test all third-party embeds (YouTube iframes, payment widgets, chat tools) after deployment — COEP can break embeds that don't set permissive CORP headers. Switch to require-corp only after auditing every embedded resource.

Detection

ID: coep-configured
Severity: medium
What to look for: Check framework config, middleware, and deployment config for a Cross-Origin-Embedder-Policy (COEP) header. Acceptable values: require-corp (strictest — all cross-origin resources must opt in via CORP) or credentialless (allows cross-origin resources without credentials, compatible with CDN images and fonts). COEP is required for SharedArrayBuffer access and full cross-origin isolation.
Pass criteria: COEP header is set to require-corp or credentialless — at least 1 location must configure it. Quote the actual header value and count all locations where COEP is configured.
Fail criteria: No COEP header configured.
Skip (N/A) when: No SharedArrayBuffer usage detected and the project does not explicitly need cross-origin isolation. Also skip if the project loads many third-party resources that would break under COEP (document the reason).
Detail on fail: "No Cross-Origin-Embedder-Policy header configured — cross-origin isolation not enabled" or "COEP not set — SharedArrayBuffer access requires cross-origin isolation"
Remediation: COEP ensures that all resources loaded by the page have explicitly opted into being loaded, preventing cross-origin data leaks:
```
// next.config.js
headers: [{
  key: 'Cross-Origin-Embedder-Policy',
  value: 'credentialless'
}]
```
Use credentialless for compatibility with CDN-hosted images and fonts. Use require-corp for maximum isolation (requires all cross-origin resources to set CORP headers). Test thoroughly — COEP can break third-party embeds.

External references

cwe · CWE-1021
owasp:2021 · A05

Taxons

access-control

History

2026-04-18·v1.0.0·Initial import from security-headers-ii·automated

Why it matters

Remediation

Set Cross-Origin-Embedder-Policy in next.config.js. Start with credentialless for compatibility — it allows CDN images and fonts without requiring them to set CORP headers.

// next.config.js
headers: [{
  source: '/(.*)',
  headers: [{
    key: 'Cross-Origin-Embedder-Policy',
    value: 'credentialless'
  }]
}]

Detection

ID: coep-configured
Severity: medium
What to look for: Check framework config, middleware, and deployment config for a Cross-Origin-Embedder-Policy (COEP) header. Acceptable values: require-corp (strictest — all cross-origin resources must opt in via CORP) or credentialless (allows cross-origin resources without credentials, compatible with CDN images and fonts). COEP is required for SharedArrayBuffer access and full cross-origin isolation.
Pass criteria: COEP header is set to require-corp or credentialless — at least 1 location must configure it. Quote the actual header value and count all locations where COEP is configured.
Fail criteria: No COEP header configured.
Skip (N/A) when: No SharedArrayBuffer usage detected and the project does not explicitly need cross-origin isolation. Also skip if the project loads many third-party resources that would break under COEP (document the reason).
Detail on fail: "No Cross-Origin-Embedder-Policy header configured — cross-origin isolation not enabled" or "COEP not set — SharedArrayBuffer access requires cross-origin isolation"
Remediation: COEP ensures that all resources loaded by the page have explicitly opted into being loaded, preventing cross-origin data leaks:
```
// next.config.js
headers: [{
  key: 'Cross-Origin-Embedder-Policy',
  value: 'credentialless'
}]
```
Use credentialless for compatibility with CDN-hosted images and fonts. Use require-corp for maximum isolation (requires all cross-origin resources to set CORP headers). Test thoroughly — COEP can break third-party embeds.