Skip to content

[ZAP Security] Cross-Origin-Embedder-Policy Header Missing or Invalid #443

Description

@github-actions

Cross-Origin-Embedder-Policy Header Missing or Invalid

Risk Level: Low

Confidence: 2

Description

Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS).

Solution

Ensure that the application/web server sets the Cross-Origin-Embedder-Policy header appropriately, and that it sets the Cross-Origin-Embedder-Policy header to 'require-corp' for documents.

If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Embedder-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-embedder-policy).

Reference

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy

CWE ID: 693

WASC ID: 14

Example Instance

URL: https://localhost:44322

Method: GET

Parameter: Cross-Origin-Embedder-Policy


This issue was automatically created from an OWASP ZAP security scan.
Alert detected on: 2026-02-18
Plugin ID: 90004

Scan Metadata

  • Branch: main
  • Template Source: NuGet.org
  • Clean Template Version: 7.0.5
  • Umbraco CMS Version: 17.1.0

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions