Permissions-Policy: Control Browser Features with HTTP Headers
Earlier known as Feature-Policy, this header has been renamed Permissions-Policy with enhanced capabilities. To understand the significant differences between Feature-Policy and Permissions-Policy, you can check detailed resources that explain the updates and improvements.
With Permissions-Policy, you gain granular control over browser features such as geolocation, fullscreen, microphone, camera, USB access, autoplay, payment, battery status, and more. This policy allows your server to instruct browsers on which features to enable or disable for your web application. Consequently, it improves security and user privacy.
How to Implement Permissions-Policy in Apache
For example, if you want to disable the fullscreen feature on your website, you can add the following directive to your Apache configuration file (httpd.conf or apache2.conf), depending on your server setup:
apacheCopyEditHeader always set Permissions-Policy "fullscreen 'none'"
Moreover, you can disable multiple features at once by listing them together. For example, to disable both fullscreen and microphone features, use:
apacheCopyEditHeader always set Permissions-Policy "fullscreen 'none'; microphone 'none'"
After making these changes, be sure to restart your Apache server to apply them.
This configuration will instruct browsers to disable the specified features. Below is an example of the HTTP response header you will see:
pgsqlCopyEditHTTP/1.1 200 OK
Date: Thu, 29 Apr 2021 06:40:43 GMT
Server: Apache/2.4.37 (centos)
Permissions-Policy: fullscreen 'none'; microphone 'none'
Content-Type: text/html; charset=UTF-8
You can also completely disable a feature by specifying an empty allowlist. For instance, to disable the geolocation feature entirely, add:
apacheCopyEditHeader always set Permissions-Policy "geolocation=()"
The resulting header will look like this:
makefileCopyEditPermissions-Policy: geolocation=()
This tells the browser that no origins are allowed to use the geolocation feature.
How to Use Permissions-Policy in Nginx
Similarly, for Nginx servers, you can set Permissions-Policy headers using the add_header directive. For example, to disable the vibrate feature, add the following line inside your nginx.conf file under the http block or your site configuration file:
nginxCopyEditadd_header Permissions-Policy "vibrate 'none';";
If you want to disable multiple features such as geolocation, camera, and speaker, use:
nginxCopyEditadd_header Permissions-Policy "geolocation 'none'; camera 'none'; speaker 'none';";
After restarting Nginx, you will see the corresponding response header:
pgsqlCopyEditHTTP/1.1 200 OK
Server: nginx/1.14.1
Date: Thu, 29 Apr 2021 06:48:35 GMT
Permissions-Policy: geolocation 'none'; camera 'none'; speaker 'none';
Why Use Permissions-Policy?
Using Permissions-Policy helps you enhance the privacy and security of your users. It limits browser features that could otherwise expose sensitive information or negatively impact user experience. For instance, disabling features like geolocation or camera access unless absolutely necessary reduces risks of unauthorized tracking or spying.
Furthermore, managing these permissions at the HTTP header level simplifies your codebase. You don’t need to implement feature restrictions inside your JavaScript or server logic manually.
Useful Tools for HTTP Security Headers
To help you analyze and improve your website’s HTTP headers — including security headers like Clear-Site-Data and Permissions-Policy — consider using online HTTP header scanner tools. These tools scan your website’s response headers and provide detailed reports. This helps you optimize your site’s security and performance.
Tech Support Office HTTP Header Scanner:
Scan your website for security headers and get tips to improve them.
https://techsupportoffice.com/http-header-scanner
Themewizz HTTP Header Scanner:
Another reliable tool to analyze your site’s HTTP headers and security settings.
https://themewizz.com/http-header-scanner/
By regularly using these tools, you can maintain a secure, well-optimized website. This approach protects your users and helps meet modern web standards.