API Pricing RU Sign In

Site Analysis

HTTP Headers Advanced Health Score PageSpeed Security Redirect Chain Broken Links HTTP/2 & HTTP/3

Domain & DNS

DNS DNS Propagation WHOIS SSL CMS Detector

Network

Ping Traceroute IP ASN Lookup IP/CIDR Calculator

Security

Spam Lists RKN Check IP Abuse Check DKIM Generator Email Deliverability Mixed Content SEO Audit Schema Checker Site Comparison

SEO & AI

Robots.txt AI Readiness llms.txt Keywords

Utilities

Formatter Cron Tester JWT Decoder TTL Calculator Batch Heartbeat Status Pages

Information

API Documentation Articles Pricing Help Contact

RU Sign In Sign Up

Home / HTTP Headers / Permissions-Policy

← All HTTP Headers

Security

Permissions-Policy

Controls which browser features and APIs can be used on the page, such as camera, microphone, and geolocation.

Syntax

Permissions-Policy: &lt;feature&gt;=(&lt;allowlist&gt;), &lt;feature&gt;=(&lt;allowlist&gt;)

Example

Permissions-Policy: camera=(), microphone=(), geolocation=()

Description

Permissions-Policy (formerly Feature-Policy) controls which browser features and APIs are available. Prevents third-party scripts from abusing camera, microphone, geolocation, or payment APIs.

Each feature can be: * (allow all), self (same origin), specific origins, or () (disable).

Important for sites with third-party content — restricting permissions limits potential damage from compromised scripts.

Check if your website sends this header correctly

Check your headers →

Web Server Security Hardening Checklist: Nginx and Apache

Complete web server hardening checklist for nginx and Apache. File permissions, security headers, TLS configuration, access control, and monitoring.

Security Headers: The Complete Guide

Complete guide to HTTP security headers: CSP, HSTS, X-Frame-Options, Permissions-Policy, CORP, COEP. Configuration and examples.

Analyzing Server Response Headers: What They Reveal About a Website

A detailed guide to HTTP headers: Cache-Control, ETag, Server, CORS, and security headers. How to read and optimize response headers.

Related Headers

Content-Security-Policy

Controls which resources the browser is allowed to load for a page, helping prevent XSS and data injection attacks.

Cross-Origin-Opener-Policy

Isolates the browsing context to prevent cross-origin attacks like Spectre from accessing sensitive data.

Cross-Origin-Resource-Policy

Restricts which origins can load a resource, preventing unauthorized cross-origin reads.

Referrer-Policy

Controls how much referrer information is included with requests, balancing privacy with analytics needs.

Strict-Transport-Security

Instructs browsers to only access the site via HTTPS, protecting against protocol downgrade attacks and cookie hijacking.

X-Content-Type-Options

Prevents browsers from MIME-sniffing the content type, reducing the risk of drive-by downloads and XSS attacks.

Start monitoring for free

Create Account API Documentation

⚡

enterno.io

Website monitoring and analysis tools

Site Analysis HTTP Headers Advanced Health Score PageSpeed Security Redirect Chain Broken Links HTTP/2 & HTTP/3

Domain & DNS & Network DNS Lookup DNS Propagation WHOIS SSL Check CMS Detector Ping & Ports Traceroute IP Geolocation ASN Lookup IP/CIDR Calculator

Security Spam Lists RKN Check IP Abuse Check DKIM Generator Email Deliverability Mixed Content

SEO & AI & Utilities Robots.txt AI Readiness llms.txt Keywords SEO Audit Schema Checker Site Comparison Formatter Cron Tester JWT Decoder TTL Calculator Batch Check

Service API Documentation Pricing Help Compare Articles HTTP Headers Reference HTTP Status Codes Contact Privacy Policy Terms of Service Heartbeat Status Pages

PHP 8.4 · Hosting: Russia