HTTP security header
Permissions-Policy
Permissions-Policy (formerly Feature-Policy) lets a site control which powerful browser features - camera, microphone, geolocation, fullscreen, and more - may be used, and by which origins. Disabling unused features reduces the attack surface exposed to injected or embedded content.
Example
Permissions-Policy: geolocation=(), camera=(), microphone=()Configuration guidance
- Disable every feature the application does not use.
- Scope any needed features to specific trusted origins.
Helps mitigate
Related headers
Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.
Test my app