IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. HTTP Security Headers
  3. Permissions-Policy

HTTP security header

Permissions-Policy

Permissions-Policy (formerly Feature-Policy) lets a site control which powerful browser features - camera, microphone, geolocation, fullscreen, and more - may be used, and by which origins. Disabling unused features reduces the attack surface exposed to injected or embedded content.

Example

Permissions-Policy: geolocation=(), camera=(), microphone=()

Configuration guidance

  • Disable every feature the application does not use.
  • Scope any needed features to specific trusted origins.

Helps mitigate

Cross-Site Scripting (XSS)

Related headers

Content-Security-Policy
MDN: Permissions-Policy

Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.

Test my app
← All security headers
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub