security
How to fix: Permissions-Policy
OWASP A05
Why this matters
Permissions-Policy disables browser features (camera, microphone, geolocation, etc.) your site doesn't use. If a script ever gets injected, it can't ask for permissions you've already denied at the document level.
Background
Permissions-Policy (formerly Feature-Policy) lets you turn off browser APIs your site doesn't need (camera, microphone, geolocation, payment, USB). A compromised script then can't abuse them. Defaults are permissive, so an explicit deny-list of unused APIs is a worthwhile defence-in-depth measure.
References
W3C Permissions-Policy · MDN
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=()" always;
apache
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
cloudflare
Transform Rules → set the header as above; tailor the deny-list to APIs you don't use.
wordpress
Headers Security Advanced plugin.
flask
Flask-Talisman(permissions_policy={'camera': "()", 'microphone': "()", ...})
express
helmet.permittedCrossDomainPolicies() — and add the header manually for fine-grained denies.
rails
Permissions-Policy not yet in Rails defaults; add via config.action_dispatch.default_headers.
Verify it's working
curl -sI https://your-site/ | grep -i 'permissions-policy:'
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →