Previously known as Feature Policy, the Permissions-Policy header restricts access to powerful browser APIs — such as the camera, microphone, geolocation, and payment — for the top-level page and any embedded frames. This reduces the attack surface if a third-party script or embedded widget is compromised.

Why it matters: Without explicit restrictions, any script running on your page (including injected ads or analytics) can silently request camera or location access. Tightening the policy is a low-effort, high-value hardening step.

Quick tips:

Start with a deny-all baseline: Permissions-Policy: camera=(), microphone=(), geolocation=().
Add specific allowlists only for features your site actively uses.
Pair with a strong CSP for layered defence-in-depth.