diff --git a/gradle/changelog/cross_origin_header.yaml b/gradle/changelog/cross_origin_header.yaml
new file mode 100644
index 0000000000..62e8d27791
--- /dev/null
+++ b/gradle/changelog/cross_origin_header.yaml
@@ -0,0 +1,2 @@
+- type: fixed
+  description: Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy headers added to all responses
diff --git a/scm-webapp/src/main/java/sonia/scm/filter/SecurityHeadersFilter.java b/scm-webapp/src/main/java/sonia/scm/filter/SecurityHeadersFilter.java
index 6e9d72a74b..6fc6ec2a70 100644
--- a/scm-webapp/src/main/java/sonia/scm/filter/SecurityHeadersFilter.java
+++ b/scm-webapp/src/main/java/sonia/scm/filter/SecurityHeadersFilter.java
@@ -44,6 +44,8 @@ public class SecurityHeadersFilter extends HttpFilter {
     if (contextProvider.getStage() != Stage.TESTING) {
       response.setHeader("X-Frame-Options", "sameorigin");
       response.setHeader("X-Content-Type-Options", "nosniff");
+      response.setHeader("Cross-Origin-Opener-Policy", "same-origin");
+      response.setHeader("Cross-Origin-Embedder-Policy", "require-corp");
       response.setHeader("Content-Security-Policy",
         "form-action 'self'; " +
           "object-src 'self'; " +