Skip to main content

Security Headers

Permissions-Policy: Locking Down Powerful Browser Features

Disable camera, microphone and geolocation you never use.

Quick answer

Permissions-Policy (formerly Feature-Policy) lets you disable browser features like camera, microphone, geolocation and payment APIs for your site and any embedded content. Disabling what you do not use reduces your attack surface.

Permissions-Policy declares which powerful browser capabilities your pages — and any iframes they embed — are allowed to use. Turning off unused features prevents malicious or compromised third-party content from abusing them.

Check your website

See how your site handles permissions-policy: locking down powerful browser features — free, no account needed.

For business owners

If your site never needs the camera or microphone, there is no reason for any script — especially third-party ones — to be able to request them. Permissions-Policy shuts those doors. It is a modern hardening measure that shows up on advanced security scans and protects visitors from surprise permission prompts triggered by embedded content.

How it works (technical)

The header lists features and their allowed origins, e.g. Permissions-Policy: geolocation=(), camera=(), microphone=(), payment=(). An empty allow-list () disables the feature entirely; (self) allows only your origin; you can also name specific origins.

Crucially, the policy also constrains embedded iframes, so a third-party widget cannot silently request geolocation on your behalf.

Real-world example

A news site embedded several third-party ad frames. One began prompting readers for location access. Setting Permissions-Policy: geolocation=() disabled geolocation for the whole document and its frames, instantly stopping the prompts.

Why it matters

It reduces attack surface and protects users from unwanted permission requests by embedded content. Advanced scanners and privacy reviews increasingly expect it.

How to fix it

  1. List the powerful features your site actually uses.

  2. Disable everything else with an empty allow-list, e.g. camera=(), microphone=(), geolocation=().

  3. Allow required features only for your own origin with (self).

  4. Test embedded content (maps, video, payments) still works, then re-scan.

Best practices

  • Default-deny features and enable only what you need.

  • Review the policy whenever you add a feature that needs a browser capability.

Common mistakes

  • Leaving all features enabled by omitting the header.

  • Disabling a feature your own site relies on (e.g. payment or fullscreen).

Frequently asked questions

Is this the same as Feature-Policy?

Yes — Permissions-Policy is the renamed, standardised successor to the older Feature-Policy header.

Put this into practice

See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.

Scan your website free

See Pro plans · Create account