Sitecheck Din hjemmeside, fuldt dækket
All terms
Glossary

Permissions Policy

An HTTP response header that controls which browser features and APIs can run on a page and in its embedded frames.

Sitecheck Team

Permissions-Policy (formerly Feature Policy) is an HTTP response header that restricts access to powerful browser APIs — camera, microphone, geolocation, payment, USB, autoplay, and many others — for the top-level page and any iframes it loads. Unset features default to whatever the browser allows, which is usually too permissive for production sites.

Why it matters

Without explicit restrictions, any script on your page (including third-party ads, tag managers, or analytics) can prompt the user for camera, location, or sensor access. If one of those scripts is later compromised, the attacker inherits whatever permissions the user has granted. Tightening Permissions Policy is a low-effort, high-value hardening step that also reduces what untrusted iframes can do.

How to set it

  • Start with a deny-all baseline and opt back in only what you need: Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=().
  • Use allowlists like geolocation=(self) for first-party use, or camera=(self "https://meet.example.com") for known third parties.
  • Layer it with a strict CSP — the two headers cover different threats.
  • Force the entire site over TLS with HSTS so the policy cannot be stripped on the wire.
  • Block framing as an additional measure to mitigate clickjacking.
  • Verify with curl -I and the Mozilla Observatory or browser DevTools Security panel.

See also