Skip to main content
Vantyris

Headers

Permissions-Policy: explicitly disabling browser features your site doesn't use.

Published 2026-05-06 · Last updated 2026-05-06 · Vantyris editorial

Permissions-Policy (the successor to Feature-Policy) is a response header that lets your site explicitly tell the browser which powerful features it's allowed to use and which it isn't. Most sites don't need the camera, microphone, geolocation, USB access, or interest-cohort tracking (the FLoC successor) — but if a compromised third-party script tries to use any of them, the browser will allow it unless you've opted out. Permissions-Policy is the opt-out, and it's a one-line header. Defensive default; takes ten minutes to add.

What this means for your business

How to fix

Add a Permissions-Policy header to every page's response, listing the features to disable. Start by disabling everything you don't actively use.

  1. List the browser APIs your site actually needs. Audit the JavaScript on your site. Does any of it call navigator.geolocation, navigator.mediaDevices.getUserMedia, navigator.usb, navigator.bluetooth, or similar? For most small business sites, the answer is none.
  2. Construct a Permissions-Policy header. A defensive starting policy: `camera=(), microphone=(), geolocation=(), payment=(), usb=(), interest-cohort=()`. Each feature followed by `=()` means 'block everywhere'. To allow a feature on your own origin: `geolocation=(self)`. For specific third-party origins: `geolocation=(self "https://maps.example.com")`.
  3. Add the header to your web host or CDN. Apache: `Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), interest-cohort=()"`. Nginx: `add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), interest-cohort=()" always;`. Next.js: in `next.config.mjs` headers function.
  4. Verify in DevTools. Reload your site. Network tab → click any request → Response Headers. You should see `permissions-policy: camera=(), microphone=(), ...`.

Owner: Your web host or developer. · Time: 10-15 minutes.

Common gotchas

How to verify the fix

Vantyris's verified scan checks for Permissions-Policy presence and parses the directives. Or use securityheaders.com which grades the header's coverage.

Cyber Essentials alignment

This finding informs the following UK NCSC Cyber Essentials control areas:

Vantyris is not a CE certifying body. The mapping above is informational.

Common follow-up questions

Does this affect search engine crawling?

No. Search crawlers don't try to use the camera or microphone. They ignore Permissions-Policy entirely. Setting a defensive policy doesn't hurt SEO.

What's the FLoC / interest-cohort thing?

Google's Topics API + Federated Learning of Cohorts was an attempt to do interest-based advertising without third-party cookies. Privacy advocates objected; many sites opt out by setting `interest-cohort=()`. Vantyris does this by default and we recommend you do too unless you have a specific reason to participate in the cohort scheme.

Will I notice anything as a site owner if my Permissions-Policy is too strict?

Only if you actively try to use a blocked feature on your site. Then the API call fails with a Permission denied error and you fix the policy. Defensive-by-default + iterate-when-needed is the right pattern.

References

Related explainers

Want Vantyris to scan your domain for this and 80 other findings?

Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.

Editorial

Vantyris editorial team · methodology v1.0.0