WebSentry
Log inSign up free
All articles
Security HeadersPermissions PolicyPrivacy

Permissions Policy: Control What Browser Features Your Site Can Use

Permissions Policy lets you block camera, microphone, geolocation, and other browser APIs — so third-party scripts on your site can't abuse them. Here's how to set it up.

WebSentry TeamApril 26, 20266 min read

What Is Permissions Policy?

Permissions Policy (formerly Feature Policy) is an HTTP header that lets you control which browser features your website can use — and more importantly, which features third-party scripts loaded on your site can use.

Without it, any script running on your page — including ad networks, analytics providers, and embedded widgets — can request access to your users' camera, microphone, location, and other sensitive APIs. Permissions Policy lets you switch off the features you don't need so they can't be abused.

When WebSentry scans your site, the permissions check verifies whether you've set a policy that limits unnecessary browser capabilities.

Why It Matters

Consider this scenario: you embed a third-party chat widget on your site. That widget's JavaScript has the same browser API access as your own code. If the widget's CDN gets compromised, the injected script could silently activate a user's camera or harvest their location — unless you've blocked those APIs with a Permissions Policy.

The Header Format

Permissions-Policy: camera=(), microphone=(), geolocation=()

Each directive takes one of these values:

  • () — completely disabled
  • (self) — only your own origin can use it
  • (self "https://trusted.com") — your origin plus a specific third party

Recommended Starting Policy

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), fullscreen=(self), display-capture=()

How to Add It

Nginx

add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=()";

Apache

Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=()"

Next.js

// next.config.js
headers: async () => [{
  source: '/(.*)',
  headers: [{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' }]
}]

Summary

Permissions Policy is a low-effort, high-value header. Set it once, block everything you don't use, and you've removed an entire class of risk from third-party scripts on your site. Run a WebSentry scan to verify the header is set correctly.

Check your own site

Run a free security scan and see if your site has the issues covered in this article. Results in under 30 seconds.

Run a free scanCreate free account
PreviousHow to Hide Server Information and Stop Technology FingerprintingNext Information Disclosure: What Your Website Might Be Revealing to Attackers