No Cross-Origin-Opener-Policy header

The Cross-Origin-Opener-Policy (COOP) header prevents other websites from being able to interact with your page through a browser mechanism called window.opener. This header is not set. Without it, a page that opens your site in a new tab could potentially script against it or access information about it. Setting COOP is a straightforward layer of browser-level protection. Add the response header Cross-Origin-Opener-Policy: same-origin. If your site uses pop-up windows for login (such as Google OAuth), use same-origin-allow-popups instead.

Why this matters

Without it, a page that opens your site in a new tab could potentially script against it or access information about it. Setting COOP is a straightforward layer of browser-level protection.

How to fix it

Add the response header Cross-Origin-Opener-Policy: same-origin. If your site uses pop-up windows for login (such as Google OAuth), use same-origin-allow-popups instead.