HttpFixer โ†’ Glossary โ†’ Permissions-Policy
Security Header

Permissions-Policy

Last updated: April 2026

Permissions-Policy is an HTTP response header that controls which browser features and APIs your page and embedded iframes can access. Disabling unused features reduces your attack surface.

Example header

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()

Empty parentheses () means the feature is disabled for all origins including your own page.

Allow specific origins

# Allow geolocation for your own page only
Permissions-Policy: geolocation=(self)

# Allow camera for your page and a specific iframe origin
Permissions-Policy: camera=(self "https://video.yourapp.com")

# Allow payment for all origins (not recommended)
Permissions-Policy: payment=(*)

Recommended baseline

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()

Set in Nginx

add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

Set in vercel.json

{ "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=()" }
Related: Scan your headers live Security headers on Nginx Security headers on Vercel Content Security Policy
📚 HttpFixer Glossary โ€” all terms โ†’