Understanding the Permissions-Policy HTTP Security Header

Modern web applications often rely on a wide range of browser features to deliver rich, interactive experiences. However, some of those features can introduce security and privacy risks if not properly controlled. That's where the Permissions-Policy HTTP security header comes in.

What Is the Permissions-Policy HTTP Security Header?

Permissions-Policy is an HTTP response header that provides granular control over the use of certain browser features. Through various directives and allowlists, site administrators can specify exactly which features are permitted in the top-level document and in embedded frames — and for which origins.

Key Takeaways:

  • Fine-Grained Control: Configure which features your site and embedded content can use.
  • Enhanced Privacy: Limit the scope of sensitive capabilities to reduce exposure of user data.
  • Flexibility: Different directives can be combined with specific domains or keywords.

How the Permissions-Policy Header Works

Basic Syntax

Permissions-Policy: <directive>=(<allowlist>)

Multiple directives can be combined:

Permissions-Policy: camera=(), geolocation=(self "https://example.com")

Allowlist Values

  • *: Permits the feature for all origins
  • (): Disables the feature completely
  • self: Restricts to same origin
  • "https://example.com": Allows specific origin

Risks of Not Using Permissions-Policy

Overexposed Browser Features

Embedded content can potentially access sensitive browser features without explicit control.

Data Leakage

Sensor data can be aggregated for fingerprinting or used in side-channel attacks.

Compliance Issues

Lack of control over feature access could lead to regulatory compliance problems.

Server Implementation

<IfModule mod_headers.c>
    Header set Permissions-Policy "microphone=(), geolocation=()"
</IfModule>
server {
    listen 80;
    server_name example.com;
    add_header Permissions-Policy "microphone=(), geolocation=()" always;
}
<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Permissions-Policy" 
             value="microphone=(), geolocation=()" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

Advanced Considerations

Combining Policies

Define broad policies at server level and refine them in specific iframes for layered security.

Reporting Mode

Use Permissions-Policy-Report-Only to log violations without enforcing restrictions.

Testing & Validation

Regularly test directives to ensure they behave as expected in your environment.

Additional Resources

W3C Permissions Policy Specification

Official specification and documentation

MDN Web Docs

Comprehensive guide to Permissions Policy implementation

Available Features List

Complete list of supported Permissions Policy features

Related Security Headers

Learn about other HTTP security headers to strengthen your website's security:

Cross-Origin-Embedder-Policy (COEP) Cross-Origin-Resource-Policy (CORP) Content-Security-Policy (CSP) Content-Security-Policy-Report-Only Expect-CT (Deprecated) Permissions-Policy Reporting-Endpoints (Experimental) Strict-Transport-Security (HSTS) Upgrade-Insecure-Requests X-Content-Type-Options X-Frame-Options (XFO) X-Permitted-Cross-Domain-Policies X-Powered-By X-XSS-Protection (Deprecated)