Feature-Policy (Deprecated) (Feature-Policy)

Security Glossary - Security Headers

Definition: Feature-Policy was a security header that controlled which browser features and APIs a page could use. It has been renamed to Permissions-Policy with a new syntax. Feature-Policy used a space-separated syntax like camera 'none', while Permissions-Policy uses a structured fields syntax like camera=().

Why Feature-Policy Is Important

Feature-Policy is deprecated in favor of Permissions-Policy. If your server still sends a Feature-Policy header, it will work in older browsers but modern browsers now look for Permissions-Policy instead. Sending the old header is not harmful but should be updated to the new format.

The functionality is the same - controlling access to browser APIs like camera, microphone, geolocation, and more. The change was primarily syntactic, aligning with the structured headers specification. During the transition period, some security scanners may report the absence of Feature-Policy even though Permissions-Policy is set.

If you are configuring security headers for the first time, use Permissions-Policy directly. If you have existing Feature-Policy headers, keep them for backward compatibility but add the Permissions-Policy equivalent alongside them.

How to Test for Feature-Policy

A security audit checks for both Feature-Policy and Permissions-Policy headers. Migrate from Feature-Policy to Permissions-Policy syntax. Keeping both temporarily is fine for backward compatibility.

See how your site handles Feature-Policy

Run a Security Audit

Common Questions About Feature-Policy

Should I remove Feature-Policy if I have Permissions-Policy?
You can keep both for maximum compatibility. Older browsers that support Feature-Policy but not Permissions-Policy will still benefit. Eventually, you can remove Feature-Policy once browser support for Permissions-Policy is universal.
What changed between Feature-Policy and Permissions-Policy?
The main change is syntax. Feature-Policy: camera 'none' becomes Permissions-Policy: camera=(). The underlying functionality is the same. Permissions-Policy also aligns with the HTTP Structured Fields specification.
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.