No Cross-Origin-Resource-Policy header

The Cross-Origin-Resource-Policy (CORP) header tells browsers which other websites are allowed to load your images, scripts and other files. This header is not set, so any site can hotlink your resources freely. Without it, other websites can embed your content without permission, which can increase your bandwidth costs and potentially expose your resources to misuse in malicious pages. Add the response header Cross-Origin-Resource-Policy: same-origin to block other sites from loading your resources, or use cross-origin if you intentionally allow embedding.