Permissions-Policy (formerly Feature-Policy) lets you disable browser features like camera, microphone, geolocation and payment APIs for your site and any embedded content. Disabling what you do not use reduces your attack surface.
Permissions-Policy declares which powerful browser capabilities your pages — and any iframes they embed — are allowed to use. Turning off unused features prevents malicious or compromised third-party content from abusing them.
Check your website
See how your site handles permissions-policy: locking down powerful browser features — free, no account needed.
For business owners
If your site never needs the camera or microphone, there is no reason for any script — especially third-party ones — to be able to request them. Permissions-Policy shuts those doors. It is a modern hardening measure that shows up on advanced security scans and protects visitors from surprise permission prompts triggered by embedded content.
How it works (technical)
The header lists features and their allowed origins, e.g. Permissions-Policy: geolocation=(), camera=(), microphone=(), payment=(). An empty allow-list () disables the feature entirely; (self) allows only your origin; you can also name specific origins.
Crucially, the policy also constrains embedded iframes, so a third-party widget cannot silently request geolocation on your behalf.
Real-world example
A news site embedded several third-party ad frames. One began prompting readers for location access. Setting Permissions-Policy: geolocation=() disabled geolocation for the whole document and its frames, instantly stopping the prompts.
Why it matters
It reduces attack surface and protects users from unwanted permission requests by embedded content. Advanced scanners and privacy reviews increasingly expect it.
How to fix it
List the powerful features your site actually uses.
Disable everything else with an empty allow-list, e.g.
camera=(), microphone=(), geolocation=().Allow required features only for your own origin with
(self).Test embedded content (maps, video, payments) still works, then re-scan.
Best practices
Default-deny features and enable only what you need.
Review the policy whenever you add a feature that needs a browser capability.
Common mistakes
Leaving all features enabled by omitting the header.
Disabling a feature your own site relies on (e.g. payment or fullscreen).
Frequently asked questions
Is this the same as Feature-Policy?
Yes — Permissions-Policy is the renamed, standardised successor to the older Feature-Policy header.
Put this into practice
See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.
Scan your website free