Permissions-Policy Header Explained
Permissions-Policy (formerly Feature-Policy) is an HTTP response header that controls which browser features and APIs can be used on your page. It allows you to disable access to the camera, microphone, geolocation, and other sensitive APIs, reducing the attack surface if an attacker achieves code execution on your page.
Recommended Value
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), gyroscope=()What Each Directive Does
| Directive | Purpose |
|---|---|
camera=() | Disables camera access for the page and all embedded iframes |
microphone=() | Disables microphone access |
geolocation=() | Disables geolocation API |
payment=() | Disables Payment Request API |
usb=() | Disables WebUSB API |
What Happens Without This Header
Without Permissions-Policy, any JavaScript running on your page (including injected scripts or compromised third-party libraries) can access the camera, microphone, geolocation, and other sensitive APIs. An XSS attack could silently activate the webcam or track the user's location.
How to Implement
# Nginx
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=()" always;
# Apache
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
# Express.js
app.use((req, res, next) => {
res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=(), payment=(), usb=()');
next();
});Testing and Report-Only
Permissions-Policy does not have a report-only mode. However, it is safe to deploy restrictively because most web apps do not use camera, microphone, or geolocation APIs. Only add exceptions for features you actually use.
Related Questions
Scan your system prompt with LochBot — free, client-side, no data sent anywhere.