Headers
Permissions-Policy: explicitly disabling browser features your site doesn't use.
Published 2026-05-06 · Last updated 2026-05-06 · Vantyris editorial
Permissions-Policy (the successor to Feature-Policy) is a response header that lets your site explicitly tell the browser which powerful features it's allowed to use and which it isn't. Most sites don't need the camera, microphone, geolocation, USB access, or interest-cohort tracking (the FLoC successor) — but if a compromised third-party script tries to use any of them, the browser will allow it unless you've opted out. Permissions-Policy is the opt-out, and it's a one-line header. Defensive default; takes ten minutes to add.
What this means for your business
- Without Permissions-Policy, every JavaScript on your page can request access to powerful browser APIs. Most modern APIs (camera, microphone, geolocation) require user consent before they activate, but the request itself is a phishing vector — a malicious script can pop a permission dialog that looks like it's from your site.
- Permissions-Policy lets you tell the browser 'this site never uses these features; refuse them outright'. A compromised third-party script then can't even ask. The user is never shown the permission dialog because the browser blocks it before it can.
- The Permissions-Policy header also disables interest-cohort tracking (the FLoC successor) when set to `interest-cohort=()`. This is part of Vantyris's standard defensive header set and is what Vantyris's homepage ships.
How to fix
Add a Permissions-Policy header to every page's response, listing the features to disable. Start by disabling everything you don't actively use.
- List the browser APIs your site actually needs. Audit the JavaScript on your site. Does any of it call navigator.geolocation, navigator.mediaDevices.getUserMedia, navigator.usb, navigator.bluetooth, or similar? For most small business sites, the answer is none.
- Construct a Permissions-Policy header. A defensive starting policy: `camera=(), microphone=(), geolocation=(), payment=(), usb=(), interest-cohort=()`. Each feature followed by `=()` means 'block everywhere'. To allow a feature on your own origin: `geolocation=(self)`. For specific third-party origins: `geolocation=(self "https://maps.example.com")`.
- Add the header to your web host or CDN. Apache: `Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), interest-cohort=()"`. Nginx: `add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), interest-cohort=()" always;`. Next.js: in `next.config.mjs` headers function.
- Verify in DevTools. Reload your site. Network tab → click any request → Response Headers. You should see `permissions-policy: camera=(), microphone=(), ...`.
Owner: Your web host or developer. · Time: 10-15 minutes.
Common gotchas
- If you DO use a feature (e.g., your site has a 'show me on the map' feature using geolocation), don't blanket-disable it. Use `geolocation=(self)` to allow your own domain.
- Some payment iframes (Stripe, PayPal) need `payment` allowed for specific origins. If you embed Stripe Checkout, set `payment=(self "https://checkout.stripe.com")`.
- Permissions-Policy syntax is finicky. Spaces inside parentheses, no quotes around feature names, exact origin URLs. Use a header checker (securityheaders.com) to validate.
- Older browsers read the now-deprecated Feature-Policy header instead. You can send both if you want belt-and-braces coverage; most sites just send Permissions-Policy and accept that pre-2021 browsers won't enforce.
How to verify the fix
Vantyris's verified scan checks for Permissions-Policy presence and parses the directives. Or use securityheaders.com which grades the header's coverage.
Cyber Essentials alignment
This finding informs the following UK NCSC Cyber Essentials control areas:
- A2. Secure configuration — devices and services hardened against the inherent default vulnerabilities.
Vantyris is not a CE certifying body. The mapping above is informational.
Common follow-up questions
Does this affect search engine crawling?
No. Search crawlers don't try to use the camera or microphone. They ignore Permissions-Policy entirely. Setting a defensive policy doesn't hurt SEO.
What's the FLoC / interest-cohort thing?
Google's Topics API + Federated Learning of Cohorts was an attempt to do interest-based advertising without third-party cookies. Privacy advocates objected; many sites opt out by setting `interest-cohort=()`. Vantyris does this by default and we recommend you do too unless you have a specific reason to participate in the cohort scheme.
Will I notice anything as a site owner if my Permissions-Policy is too strict?
Only if you actively try to use a blocked feature on your site. Then the API call fails with a Permission denied error and you fix the policy. Defensive-by-default + iterate-when-needed is the right pattern.
References
Related explainers
- Content Security Policy: the header that stops most XSS attacks dead.
- X-Frame-Options and frame-ancestors: the anti-clickjacking header.
- HSTS: the security header that locks HTTPS on for good.
Want Vantyris to scan your domain for this and 80 other findings?
Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.
Vantyris editorial team · methodology v1.0.0