Skip to main content

Fix Guides

How to Fix a Missing Permissions-Policy Header

Disable browser features your site does not need — including in iframes.

Quick fix

To fix a missing Permissions-Policy header, add Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=() (adjust for features you actually need) to every response via your server, CDN or security-headers plugin. Re-scan to confirm.

Permissions-Policy tells browsers which powerful APIs (camera, microphone, geolocation, payment) your pages and embedded iframes may use. Without it, third-party embeds can trigger permission prompts or abuse features you never intended to allow.

Check your website

See how your site handles how to fix a missing permissions-policy header — free, no account needed.

Business impact

Surprise camera or location permission prompts from embedded ads or widgets erode user trust instantly. Permissions-Policy is a low-effort header that locks down unused browser capabilities and shows up on advanced security scans as a professionalism signal.

Why this happens

The scanner flags "Missing Permissions-Policy" when neither Permissions-Policy nor the deprecated Feature-Policy header is present. An empty allow-list () disables a feature entirely; (self) allows only your origin. The policy applies to embedded iframes too — so a compromised ad frame cannot request geolocation on your page's behalf.

How to confirm the issue

Manually: DevTools → Network → document request → Response Headers. No permissions-policy line means it is missing.

With Plexa Trust: look for "Missing Permissions-Policy". Re-scan after adding the header.

Step-by-step fix

  1. List browser features your site actually uses (geolocation for store finder, payment for checkout, etc.).

  2. Disable everything else with empty allow-lists: camera=(), microphone=(), geolocation=().

  3. Add the Permissions-Policy header site-wide (server, CDN or plugin).

  4. Test pages that use allowed features still work.

  5. Remove deprecated Feature-Policy if present — use Permissions-Policy only.

  6. Re-scan to confirm the finding clears.

Platform-specific fixes

Apache (.htaccess)

  1. Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"

  2. Adjust if your site needs geolocation or payment — use (self) for those.

  3. Reload Apache.

Nginx

  1. add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;

  2. nginx -t && reload.

Cloudflare

  1. Transform Rules → Modify Response Header → add Permissions-Policy.

  2. Or add via Cloudflare Workers if you need per-route policies.

WordPress

  1. Many security-headers plugins include Permissions-Policy toggles.

  2. Enable and set restrictive defaults; allowlist only features your plugins need.

How to verify the fix

  • Start restrictive — only allow features you genuinely use.

  • Remember embedded iframes inherit the policy — this protects against third-party abuse.

  • Pair with CSP and other security headers for defence in depth.

  • Re-scan with Plexa Trust and confirm "Missing Permissions-Policy" is cleared.

Common mistakes

  • Using deprecated Feature-Policy instead of Permissions-Policy.

  • Disabling geolocation when your store locator needs it — test after deploying.

  • Adding the header only on the homepage, not site-wide.

  • Conflicting duplicate headers from CDN and origin.

Frequently asked questions

What should I disable by default?

camera, microphone, geolocation, payment, usb, serial — anything your site does not use. Use () to disable entirely.

Is Permissions-Policy the same as Feature-Policy?

Yes — Permissions-Policy is the modern replacement. Use Permissions-Policy; drop Feature-Policy.

Does this block my Google Maps embed?

Maps may need geolocation=(self) or specific origins. Test after tightening the policy.

Do I need this if I have CSP?

Yes — they solve different problems. CSP controls resource loading; Permissions-Policy controls browser APIs.

Will this break Stripe checkout?

Stripe may need payment=(self "https://js.stripe.com") or similar. Test checkout after deploying.

Where is Permissions-Policy set on Plexa Trust?

Plexa Trust sets it on its own site as an example — camera=(), microphone=(), geolocation=() in .htaccess.

Is this required for PCI compliance?

Not explicitly mandated, but security header hardening supports PCI DSS control objectives around secure configurations.

How do I confirm the fix?

Check response headers in DevTools or curl -I, then re-scan with Plexa Trust.

Think you've fixed it?

Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.

Verify with a free scan

Upgrade to Pro for monitoring