Permissions-Policy header
Permissions-Policy is an HTTP header that allows disabling sensitive browser APIs (camera, microphone, geolocation) for the page and the ifr…
Analyse my site for freeUnderstanding "Permissions-Policy header"
Permissions-Policy (formerly Feature-Policy) is an HTTP header that allows a site to explicitly declare which sensitive browser APIs are allowed or forbidden — for the page itself and for any iframes it embeds. The APIs covered include access to the camera, microphone, geolocation, push notifications, payment, accelerometer, and many other browser features.
Without this header, third-party scripts loaded by your page (ad networks, analytics scripts, chat widgets…) could potentially request access to these APIs. Permissions-Policy applies the principle of least privilege: any unnecessary feature is disabled by default.
| Browser API | Your site | Third-party scripts |
|---|---|---|
| 📷 Camera | ❌ | ❌ |
| 🎤 Microphone | ❌ | ❌ |
| 📍 Geolocation | ❌ | ❌ |
| 💳 Payment | ❌ | ❌ |
| 🔔 Notifications | ✅ | ❌ |
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()How TheSiteFuse checks "Permissions-Policy header"
TheSiteFuse retrieves the HTTP response headers and checks for the Permissions-Policy header. The check verifies the header is present and disables at minimum the three most sensitive APIs: camera, microphone and geolocation. A present but empty header or one with overly permissive values is flagged as a warning.
Why "Permissions-Policy header" matters
Without Permissions-Policy, third-party scripts loaded by your site can abuse browser APIs:
- Camera access — a malicious advertising script could request camera access. An inattentive user may accept the browser permission request.
- Unwanted geolocation — third-party scripts can trigger GPS location requests without your knowledge.
- Advanced fingerprinting — access to accelerometer, gyroscope or light sensors enables precise device fingerprinting without explicit requests.
- GDPR non-compliance — collecting sensitive data via third-party scripts without explicit consent violates GDPR.
Fix "Permissions-Policy header" step by step
Basic configuration — disable sensitive APIs
Apache:
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=()"
Nginx:
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=()" always;
The feature=() syntax completely disables the feature for the page and its iframes.
Allow a feature only for your domain
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(self), payment=()"
(self) allows the feature for your domain only, not for third-party iframes.
Common features to disable
camera=(),microphone=(),geolocation=(),payment=(),usb=()
Reference resource
To deepen your understanding of the technical concepts behind this check, see the dedicated Wikipedia article.
Wikipedia — Permissions-Policy headerDoes your site pass this check?
Run the free full audit (120 checks) and instantly discover what needs fixing.