What is Permissions-Policy?

An HTTP header that controls which browser features your page and embedded iframes can access — camera, microphone, geolocation, payment, USB, and more. Restricting unused features reduces your attack surface.

What is the difference between Permissions-Policy and Feature-Policy?

Feature-Policy was the old name, deprecated in 2020. Permissions-Policy is the current standard with a different syntax. Most modern browsers support Permissions-Policy.

Should I disable all features by default?

Disable features your site does not use. If you never use the camera or geolocation, set them to (). This prevents third-party scripts on your page from accessing these features without your knowledge.

Generator

Permissions-Policy Header Generator

Control which browser APIs your page can access. Restricting unused features prevents third-party scripts from silently accessing your users' camera, microphone, or location.

For each feature: () = blocked for all · self = your origin only · * = allow all

Sensor / Device Features

Feature	() Block	self only	* Allow all
camera
microphone
geolocation
accelerometer
gyroscope

Payment / Commerce

Feature	() Block	self only	* Allow all
payment
usb

Privacy

Feature	() Block	self only	* Allow all
interest-cohort
fullscreen

Generated Header

Click "Generate Header" to build your policy.

Nginx

Scan all your security headers → HeadersFixer