No Cross-Origin Resource Policy (CORP) or Origin-Agent-Cluster header

Your server does not send two modern browser-isolation headers: Cross-Origin-Resource-Policy (CORP), which controls which sites can load your resources, and Origin-Agent-Cluster, which requests that the browser isolate your page into its own memory space. Together they reduce your exposure to cross-origin information leakage. Without these headers, your site is more exposed to cross-origin attacks where another website can trigger requests to your server on a user's behalf or access shared browser memory. Security standards bodies including OWASP flag missing CORP as an access-control gap. Ask your developer or hosting provider to add two response headers: Cross-Origin-Resource-Policy: same-origin (or cross-origin if you intentionally serve resources to other sites) and Origin-Agent-Cluster: ?1. Both are server-side configuration changes that require no changes to your site's content.