Security Headers

Mastering Permissions Policy

Take control of your browser's capabilities. Locking down features like the camera, microphone, and geolocation is essential for user privacy and security.

Check Your Headers

Analyze your Permissions-Policy header instantly

01 What is Permissions Policy?

The Permissions-Policy HTTP header (formerly known as Feature-Policy) allows website owners to enable, disable, or modify the behavior of powerful browser APIs and features.

It acts like a permission slip for the browser, telling it exactly what capabilities your site needs and, more importantly, what it definitely does not need. This reduces the attack surface and potential for abuse.

02 Why Use It?

Implementing a strict Permissions Policy offers several key benefits:

Prevent Feature Abuse

Even if an attacker finds an XSS vulnerability, they cannot turn on the user's camera or microphone if you have explicitly disabled these features in the header.

Protect User Privacy

Disabling geolocation and other sensors by default assures users that your site (and third-party scripts on it) isn't secretly tracking them.

Control 3rd Party Scripts

You can allow features for your own domain but block them for embedded iframes, ensuring that ads or widgets don't access sensitive APIs.

03 Essential Directives

Here are some of the most critical features you should consider restricting:

camera

Controls access to video input devices. Unless you are a video conferencing app, you should probably disable this.

microphone

Controls access to audio input devices. Like the camera, often unnecessary for potential abuse.

geolocation

Controls access to the user's location. Restricting this prevents unauthorized tracking.

04 Implementation Guide

To implement Permissions Policy, add the header to your server configuration. The syntax uses a comma-separated list of directives.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()

In this example:

  • () means the feature is disabled for everyone (empty list).
  • self allows the feature for your own domain.
  • * allows the feature for everyone (not recommended).

05 Frequently Asked Questions

Is Permissions Policy the same as CSP?

No. Content Security Policy (CSP) controls what resources (scripts, styles, images) can be loaded. Permissions Policy controls what browser features (camera, mic, geolocation) the page can use.

What happened to Feature Policy?

Feature Policy was renamed to Permissions Policy. The syntax changed slightly (using structured headers), but the concept remains the same. Modern browsers support Permissions Policy.

Can I use Permissions Policy to block ads?

Not directly. While you can block features often used by ads (like synchronous XHR or certain sensors), it is not an ad blocker. It is a security and privacy mechanism.

Does it work in all browsers?

Most modern browsers (Chrome, Edge, Firefox, Safari) support Permissions Policy, though support for specific directives may vary. Always check compatibility.

Is your policy set correctly?

Scan your site to see which headers are missing or misconfigured.

Run a Full Security Scan