What is the difference between Permissions-Policy and Feature-Policy?

Feature-Policy was deprecated in 2020. Permissions-Policy is the current standard with different syntax. Use Permissions-Policy in all new configurations.

Should I disable all features by default?

Disable features your site does not use. If you never use camera or geolocation, set them to (). This prevents third-party scripts from accessing these APIs without your knowledge.

Does Permissions-Policy affect iframes?

Yes. The policy applies to the page and all embedded iframes. Setting camera=() blocks camera access in both your page and any iframes you embed.

Permissions-Policy Generator — Control Camera, Microphone, and Geolocation

Updated April 2026

Permissions-Policy controls which browser APIs your page — and any third-party scripts on it — can access. Disabling unused features prevents analytics scripts from silently accessing your users' camera or location.

Open Permissions-Policy Generator →

Why it matters

Every third-party script you load (analytics, chat widgets, ad trackers) runs with the same permissions as your page. Without Permissions-Policy, a compromised analytics script could theoretically access the camera API if the user has granted camera access to your site.

The syntax

Each feature gets a value:

() — blocked for all (page and all iframes)
(self) — allowed for your origin only
(*) — allowed for all
("https://trusted.com") — allowed for specific origin

Safe defaults for most sites

Permissions-Policy: camera=(), microphone=(), geolocation=(), accelerometer=(), gyroscope=(), interest-cohort=(), payment=(self), usb=(), fullscreen=(self)

This blocks all sensor/device access, disables FLoC tracking (interest-cohort), allows payments only from your origin, and blocks USB.

Stack configs

Nginx

add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()" always;

Apache

Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()"

Vercel (vercel.json)

{ "headers": [ { "source": "/(.*)", "headers": [ {"key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=(), interest-cohort=()"} ] } ]
}

Express

res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=(), interest-cohort=()');

Features reference

Feature	What it controls	Safe default
camera	getUserMedia camera access	()
microphone	getUserMedia audio access	()
geolocation	navigator.geolocation	()
accelerometer	DeviceMotionEvent	()
gyroscope	DeviceOrientationEvent	()
payment	Payment Request API	(self) if you use payments
usb	WebUSB API	()
interest-cohort	FLoC tracking	()
fullscreen	Element.requestFullscreen()	(self)

Checking your current header

Run HeadersFixer on your URL to see if Permissions-Policy is set and what value it has:

Scan your security headers → HeadersFixer