To fix a missing Permissions-Policy header, add Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=() (adjust for features you actually need) to every response via your server, CDN or security-headers plugin. Re-scan to confirm.
Permissions-Policy tells browsers which powerful APIs (camera, microphone, geolocation, payment) your pages and embedded iframes may use. Without it, third-party embeds can trigger permission prompts or abuse features you never intended to allow.
Check your website
See how your site handles how to fix a missing permissions-policy header — free, no account needed.
Business impact
Surprise camera or location permission prompts from embedded ads or widgets erode user trust instantly. Permissions-Policy is a low-effort header that locks down unused browser capabilities and shows up on advanced security scans as a professionalism signal.
Why this happens
The scanner flags "Missing Permissions-Policy" when neither Permissions-Policy nor the deprecated Feature-Policy header is present. An empty allow-list () disables a feature entirely; (self) allows only your origin. The policy applies to embedded iframes too — so a compromised ad frame cannot request geolocation on your page's behalf.
How to confirm the issue
Manually: DevTools → Network → document request → Response Headers. No permissions-policy line means it is missing.
With Plexa Trust: look for "Missing Permissions-Policy". Re-scan after adding the header.
Step-by-step fix
List browser features your site actually uses (geolocation for store finder, payment for checkout, etc.).
Disable everything else with empty allow-lists:
camera=(), microphone=(), geolocation=().Add the Permissions-Policy header site-wide (server, CDN or plugin).
Test pages that use allowed features still work.
Remove deprecated Feature-Policy if present — use Permissions-Policy only.
Re-scan to confirm the finding clears.
Platform-specific fixes
Apache (.htaccess)
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
Adjust if your site needs geolocation or payment — use (self) for those.
Reload Apache.
Nginx
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
nginx -t && reload.
Cloudflare
Transform Rules → Modify Response Header → add Permissions-Policy.
Or add via Cloudflare Workers if you need per-route policies.
WordPress
Many security-headers plugins include Permissions-Policy toggles.
Enable and set restrictive defaults; allowlist only features your plugins need.
How to verify the fix
Start restrictive — only allow features you genuinely use.
Remember embedded iframes inherit the policy — this protects against third-party abuse.
Pair with CSP and other security headers for defence in depth.
Re-scan with Plexa Trust and confirm "Missing Permissions-Policy" is cleared.
Common mistakes
Using deprecated Feature-Policy instead of Permissions-Policy.
Disabling geolocation when your store locator needs it — test after deploying.
Adding the header only on the homepage, not site-wide.
Conflicting duplicate headers from CDN and origin.
Frequently asked questions
What should I disable by default?
camera, microphone, geolocation, payment, usb, serial — anything your site does not use. Use () to disable entirely.
Is Permissions-Policy the same as Feature-Policy?
Yes — Permissions-Policy is the modern replacement. Use Permissions-Policy; drop Feature-Policy.
Does this block my Google Maps embed?
Maps may need geolocation=(self) or specific origins. Test after tightening the policy.
Do I need this if I have CSP?
Yes — they solve different problems. CSP controls resource loading; Permissions-Policy controls browser APIs.
Will this break Stripe checkout?
Stripe may need payment=(self "https://js.stripe.com") or similar. Test checkout after deploying.
Where is Permissions-Policy set on Plexa Trust?
Plexa Trust sets it on its own site as an example — camera=(), microphone=(), geolocation=() in .htaccess.
Is this required for PCI compliance?
Not explicitly mandated, but security header hardening supports PCI DSS control objectives around secure configurations.
How do I confirm the fix?
Check response headers in DevTools or curl -I, then re-scan with Plexa Trust.
Think you've fixed it?
Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.
Verify with a free scan