Missing Permissions-Policy

Formerly "Feature-Policy", this header allows you to enable or disable browser features and APIs (like Camera, Microphone, Geolocation, USB).

Business Risk

If your site gets XSS'd, the attacker can try to access the user's webcam or microphone. Explicitly disabling these features limits the "blast radius" of a compromise. It also prevents third-party iframes (ads) from accessing these sensors without your knowledge.

Technical Details

The syntax is `feature=(allowlist)`. Using `()` means "nobody". Recommended baseline: disable powerful features you don't use.

Remediation Guide

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()

text

External References

↗ W3C: Permissions Policy

Verify Your Fix

Applied the configuration change? Run a live scan to confirm the vulnerability is patched.