Permissions-Policy (Permissions-Policy)
Settings Overview
| Feature | Recommended Policy | Purpose |
|---|---|---|
| camera | () | Block camera access |
| microphone | () | Block microphone access |
| geolocation | (self) | Allow only your origin |
| payment | (self) | Restrict payment API to your origin |
| autoplay | (self) | Control media autoplay |
Why You Should Care About Permissions-Policy
Permissions-Policy provides defense in depth against malicious third-party content. If an ad network or embedded widget is compromised, a properly configured Permissions-Policy prevents it from accessing the user's camera, microphone, or location even if it tries. Without this header, any iframe on your page could request these permissions.
The header also signals to the browser which features your site intentionally uses. Setting camera=() (empty allowlist) tells the browser your page never needs camera access. This prevents both first-party and third-party code from accessing the camera, reducing the risk from XSS or compromised dependencies.
Key features to restrict include camera, microphone, geolocation, payment, usb, and autoplay. Most websites do not need these capabilities and should explicitly disable them. Only enable what you actually use, and restrict third-party iframe access to the minimum necessary.
How to Check
A security audit checks for the Permissions-Policy header and evaluates which features are restricted. Review the policy to confirm sensitive APIs (camera, microphone, geolocation) are disabled unless your application specifically needs them.