HTTP Security Header
Permissions-Policy
Allows web developers to selectively enable, disable, and modify the behavior of certain browser APIs and features.
Configuration Snapshot
- Header Name
- Permissions-Policy
- Primary Mitigation
- Feature Misuse, Browser Resource Hijacking
Example Configuration
Permissions-Policy: geolocation=(), microphone=(), camera=()
Implementation Best Practices
- Disable unneeded APIs globally using empty lists ()
- Grant permissions selectively using origin whitelists
- Audit iframe sandbox definitions to prevent permission inheritance
Audit Your Configuration
Properly implementing Permissions-Policy is critical for achieving a robust security posture. A misconfigured header can leave your application exposed to client-side attacks or accidentally block legitimate functionality. Use our Security Headers auditing tool to evaluate your live production setup.
Scan Your Website