| Header |
Explanation |
| Access-Control-Allow-Origin: * |
Allows any origin to access the resource (very risky for sensitive APIs). |
| Access-Control-Allow-Origin: https://example.com |
Allows only the specified origin to access the resource. |
| Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH |
Specifies which HTTP methods are allowed for cross-origin requests. |
| Access-Control-Allow-Headers: Content-Type, Authorization, X-Api-Key |
Lists which custom request headers the client is allowed to send. |
| Access-Control-Allow-Credentials: true |
Allows cookies and authentication data in cross-origin requests; cannot be used with "*". |
| Access-Control-Expose-Headers: X-RateLimit-Remaining, X-Custom-Header |
Allows the browser to read specific response headers that are normally hidden. |
| Access-Control-Max-Age: 86400 |
Defines how long the browser may cache the preflight response (in seconds). |
| Access-Control-Request-Method: PUT |
Sent by the browser during preflight to ask if the HTTP method is allowed. |
| Access-Control-Request-Headers: Authorization, X-Api-Key |
Sent by the browser during preflight to ask if custom headers are allowed. |
| Origin: https://client.com |
Sent by the browser to indicate the origin of the request. |
| Vary: Origin |
Instructs caches that the response may vary depending on the Origin header. |
| Vary: Access-Control-Request-Headers |
Ensures caches treat responses differently based on requested headers. |
| Vary: Access-Control-Request-Method |
Ensures caches treat responses differently based on requested methods. |
| Timing-Allow-Origin: * |
Allows cross-origin access to detailed performance timing information. |
| Timing-Allow-Origin: https://example.com |
Allows only the specified origin to access performance timing data. |
| Access-Control-Allow-Private-Network: true |
Allows requests to private network resources (used in newer browser security models). |
| Cross-Origin-Opener-Policy: same-origin |
Isolates the browsing context from cross-origin pages to prevent data leaks. |
| Cross-Origin-Opener-Policy: same-origin-allow-popups |
Allows popups but keeps the main page isolated from cross-origin interference. |
| Cross-Origin-Opener-Policy: unsafe-none |
Disables isolation; allows cross-origin interactions (least secure). |
| Cross-Origin-Embedder-Policy: require-corp |
Requires embedded resources to explicitly allow cross-origin embedding (needed for SharedArrayBuffer). |
| Cross-Origin-Embedder-Policy: unsafe-none |
Allows embedding any resource without restrictions (not secure). |
| Cross-Origin-Resource-Policy: same-origin |
Restricts resource loading to the same origin only. |
| Cross-Origin-Resource-Policy: same-site |
Allows resource loading from the same site but different subdomains. |
| Cross-Origin-Resource-Policy: cross-origin |
Allows resource loading from any origin. |
| Cross-Origin-Opener-Policy-Report-Only |
Reports violations of COOP without enforcing them. |
| Cross-Origin-Embedder-Policy-Report-Only |
Reports violations of COEP without enforcing them. |
| Content-Security-Policy: script-src 'self' |
Restricts which scripts can run; critical for preventing cross-origin script injection. |
| Content-Security-Policy: worker-src 'self' |
Controls which origins can load Web Workers; required for secure WASM execution. |
| Content-Security-Policy: frame-ancestors 'none' |
Prevents the page from being embedded in iframes (anti-clickjacking). |
| Content-Security-Policy: require-trusted-types-for 'script' |
Protects against DOM XSS by enforcing Trusted Types. |
| Permissions-Policy: shared-array-buffer=(self) |
Allows SharedArrayBuffer only in isolated contexts (COOP + COEP required). |
| Permissions-Policy: fullscreen=(self) |
Controls which origins can request fullscreen mode. |
| Permissions-Policy: geolocation=() |
Blocks geolocation access for all origins. |
| Referrer-Policy: no-referrer |
Prevents sending the Referer header to any destination. |
| Referrer-Policy: strict-origin-when-cross-origin |
Sends full referrer on same-origin requests, but only origin on cross-origin. |
| Sec-Fetch-Site: cross-site |
Indicates the request came from a different site; used by browsers for security decisions. |
| Sec-Fetch-Mode: cors |
Indicates the request is a CORS request. |
| Sec-Fetch-Dest: script |
Indicates the destination type of the request (script, image, iframe, etc.). |
| Sec-Fetch-User: ?1 |
Indicates the request was triggered by a user interaction. |
| Report-To: {"group":"coop","max_age":10886400} |
Defines where browsers should send COOP/COEP violation reports. |
| NEL: {"report_to":"coop","max_age":10886400} |
Network Error Logging; allows reporting of network failures. |
Labels:
2026,
2026 news,
artificial intelligence,
news,
ollama
