Permissions Policy HTTP Header: Configuration and Examples

Permissions-Policy HTTP Header Configuration

Nowadays, the issue of online privacy has become a top priority for both internet users and developers. As we surf the web, we encounter many websites and applications that often request access to our personal information and our device’s resources. This has created a critical need to manage and control who and what can access our data and the features of our web browser, and here’s where Permissions-Policy comes into play.

Our article will provide an in-depth exploration of what Permissions-Policy is, how it operates, and why it’s key for protecting your online privacy. We’ll dig into how this technology strikes a balance between the functionality of the web and the security of your data, granting you the power to take charge of your online experience. Additionally, configuring the Permissions-Policy in the HTTP server configuration file is crucial for enhanced security.

What is Permissions-Policy?

Permissions-Policy is a technology that ensures a safer and more regulated online experience. In our current age, modern web pages are far more than static documents like back in the 90s; they’ve evolved into interactive applications that can access various sensitive resources, such as your camera, microphone, location, and more.

This header consists of a group of rules that enable web developers to specify which resources can be accessed and the ways in which they can be utilized. Essentially, it acts as a protective barrier for your data and hardware, ensuring that they are only shared with trusted sources and for legitimate purposes.

The role of the Permissions-Policy header

The role of the Permissions-Policy header

The Permissions-Policy header is a very important component of web security protocols that assists websites in managing and controlling how various browser features and APIs operate on a user’s device. This header is employed to establish particular limitations and authorizations for a webpage, contributing to heightened user privacy and security.

In simple terms, the header allows developers to define rules regarding access to specific browser functions, such as the camera, microphone, geolocation, and push notifications. By specifying these rules, developers can determine who can access these functions and the circumstances under which access is permitted. This is particularly important in an online environment where safeguarding user privacy and security is a top concern.

Mozilla docs say that “Permissions Policy provides mechanisms for web developers to explicitly declare what functionality can and cannot be used on a website.

Furthermore, apart from increasing security and privacy, the Permissions-Policy header helps developers maintain a consistent and predictable user experience by denying unauthorized access to sensitive features. This leads to a reduced risk of security breaches and it also decreases exposure to potential misuse.

Permissions-Policy Header in Action

Is Permissions-Policy important?

This header plays a key role in online security and user privacy. As we have previously stated, this policy establishes the guidelines that determine what actions and resources a website can access and utilize in a user’s web browser. It’s a critical feature because it enforces strict control over how requests for access to features like the camera, microphone, and location are handled on a website.

Permissions-Policy is a must for preserving user privacy and security on the internet, preventing unauthorized or malicious websites from gaining access to sensitive information without user consent, and it’s a shield against security threats like identity theft and data breaches.

So, to make it simple, the answer is yes, the Permissions-Policy is a very important feature in safeguarding online privacy and security. It ensures websites adhere to ethical and legal standards while delivering a secure and trustworthy user experience.

According to Webtechsurvey.com, 1.24% of websites use this header. Is your site among them? You can find out using our webserver security test.

The difference between Permissions-Policy and Feature Policy

What we used to know as Feature Policy is now referred to as Permissions Policy, along with another protocol called Document Policy. Feature Policy technology has been replaced by Permissions Policy and Document Policy to the extent that Feature Policy is now considered obsolete.

This change was made to more accurately reflect the name of the header by splitting it into the two mentioned policies. The change also brought about some adjustments to the structure, attributes, and more. In other words, Feature Policy has essentially been renamed to Permissions Policy and now has some slight differences. So, to maintain the best compatibility with modern browsers, it is recommended to use the Permissions Policy.

Checking Permissions-Policy

The easiest and fastest way to check for this header is by using our free scanner, just do the following:

  1. Access our HTTP security scanner.
  2. Input your domain in the scan box.
  3. Check the two boxes below (named ‘Clear cache’ and ‘Follow redirects’).
  4. Now click the Scan button to start scanning your domain.
  5. Look for the section named ‘HTTP Security Headers’, and check your ‘Permissions-Policy’ test results: a ‘Passed’ in green means that you are good to go, but if you get a ‘Failed’ in red then you will have to update your current settings (we have included a guide below in this article). Additionally, implementing HTTP Strict Transport Security (HSTS) is crucial to ensure that all connections are made over HTTPS, preventing the risk of man-in-the-middle attacks.
Permissions-Policy tests results

Permissions-PolPermissions-Policy directives

The Permissions-Policy directives are specified within the HTTP header, and they can be configured to set permission policies for a range of features and functions. Some common directives include:

  • geolocation: This directive determines whether the website can access the user’s location.
  • camera: It decides whether the website can use the device’s camera.
  • microphone: It controls access to the device’s microphone.
  • accelerometer, gyroscope, magnetometer: These directives regulate access to device sensors.
  • fullscreen: It governs whether the website can request full-screen mode.
  • payment: It defines whether the site has permission to access payment-related features in the browser.
  • usb: This directive manages access to USB devices from the browser.
  • autoplay: It determines whether multimedia content, like videos and audio, can play automatically.

The ‘default-src self’ directive in the Content Security Policy is crucial for preventing the loading of malicious content by allowing resources to be loaded only from the same origin.

Permissions-Policy directives can be set with different values, such as “self” to allow access only from the website itself, “none” to deny access and other specific values based on the website’s requirements.

The ‘img-src self’ directive is important for whitelisting sources for loading images, ensuring that the browser only fetches images from the same origin as the website.

Permissions-Policy examples

Here you can check some instances of the directives set within the HTTP header:

  • Authorize access to the camera and geolocation exclusively for the current website:
Permissions-Policy: camera=self, geolocation=self
  • Allow the utilization of all sensors and the microphone on the current website:
Permissions-Policy: accelerometer=self, gyroscope=self, magnetometer=self, microphone=self
  • Enable automatic playback of multimedia content solely from the current website:
Permissions-Policy: autoplay=self
  • Permit access to the USB port solely for the current website:
Permissions-Policy: usb=self
  • Grant access to the full-screen mode only for the current website:
Permissions-Policy: fullscreen=self
  • Provide access to payment-related features exclusively for the current website:
Permissions-Policy: payment=self
  • Allow geolocation access from the current website and any other site that meets specific origin criteria:
Permissions-Policy: geolocation=self, geolocation="https://example.com https://anotherexample.com"

How to configure Permissions-Policy

Let’s see how to set this header in some common web servers like Nginx, Apache, and IIS.

Configuring the Strict Transport Security (HSTS) header in web servers is also crucial to enforce HTTPS connections and prevent man-in-the-middle attacks.

Setting up Permissions-Policy in Apache

First, let’s configure the Permissions-Policy header in Apache. Most Linux distributions store the primary Apache configuration file at /etc/apache2/apache2.conf. However, you can also configure this directive in specific virtual host configuration files.

Open the configuration file using a text editor such as Nano or Vim. You can use the following command:

nano /etc/apache2/apache2.conf

Add the directive within the VirtualHost or Directory section where you want to apply it. Here’s an example of what the directive might look like:

Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"

In this example, we’ve configured a policy that limits access to geolocation, microphone, and camera in the browser.

Save the file and restart Apache to apply changes:

systemctl restart apache2

Enabling Permissions-Policy in Nginx Configuration File

In Nginx, site configuration files are typically found in /etc/nginx/sites-available/ or in /etc/nginx/conf.d Open your site’s configuration file in a text editor. Correctly editing the Nginx configuration file is crucial for implementing security headers and optimizing performance.

Within the server block, include the add_header directive to define the policy. Here’s an example:

add_header Permissions-Policy "geolocation=(), microphone=(), camera=()";

Save the file. Before applying the changes, validate the syntax of your Nginx configuration to ensure there are no syntax errors:

nginx -t

This configuration restricts access to geolocation, microphone, and camera in the browser.

If the syntax check is successful, restart Nginx to implement the changes:

systemctl restart nginx

Configuring Permissions-Policy on IIS

  1. Open IIS Manager and select your site.
  2. Open HTTP Response Headers and click on the Add button.
  3. Set the following:
    • Name: Permissions-Policy
    • Value: geolocation=(), microphone=(), camera=()
  4. You can also set a different value, this is just an example.
  5. Click OK to save.

Using Style Src Self with Permissions Policy

When using the style-src directive with the Permissions Policy, it’s essential to specify the self keyword to allow styles to be loaded from the same origin.

Here’s an example:

Content-Security-Policy: "style-src 'self';" 

This directive allows styles to be loaded from the same origin while preventing styles from being loaded from other origins. By combining this with the Permissions Policy, you can create a robust security framework that ensures only trusted sources can load stylesheets.

This helps mitigate risks associated with cross-site scripting (XSS) and other injection attacks, providing a safer browsing experience for users.

Restricting Access to Sensitive Data

One of the primary use cases for the Permissions Policy is restricting access to sensitive data such as geolocation, camera, and microphone access. By setting the appropriate directives in the Permissions Policy header, website owners can prevent malicious scripts from accessing this data without the user’s consent.

For instance, the following directive can be used to restrict access to geolocation data:

Permissions-Policy: geolocation=() 

This directive specifies that no scripts are allowed to access geolocation data, effectively safeguarding the user’s location information. Similar directives can be used to control access to other sensitive features, ensuring that only authorized scripts can utilize these resources. This level of control is vital for maintaining user privacy and preventing unauthorized data access.

Best Practices for Implementation

When implementing the Permissions Policy, there are several best practices to keep in mind. First, it’s essential to test the policy thoroughly to ensure that it does not break any functionality on the website. Testing helps identify any potential issues that could affect the user experience or the website’s performance.

Second, website owners should regularly review and update the policy to ensure that it remains effective against emerging threats. The web security landscape is constantly evolving, and staying informed about best practices and important changes in browsers is crucial for maintaining a robust security posture.

Finally, it’s crucial to implement the Permissions Policy in conjunction with other security features such as CSP and CORS. This integrated approach ensures comprehensive protection, covering both content and feature access. By following these best practices, website owners can effectively leverage the Permissions Policy to enhance security and user privacy.

Testing and Debugging Permissions Policy

To test and debug Permissions Policy, you can use the browser’s developer tools. Here are some steps to follow:

  1. Open the browser’s developer tools by pressing F12 or right-clicking on the page and selecting “Inspect”.
  2. Switch to the “Console” tab.
  3. Look for any errors or warnings related to the Permissions Policy.
  4. Use the browser’s debugger to step through the code and identify any issues.

By following these steps, you can ensure that your Permissions Policy is correctly implemented and functioning as intended. Regular testing and debugging are crucial for maintaining a secure and reliable web application.

Common Use Cases for Permissions Policy

Permissions Policy is commonly used to control access to sensitive features and APIs, such as:

  • Geolocation: Prevent websites from accessing the user’s location without permission.
  • Microphone and Camera: Prevent websites from accessing the user’s microphone and camera without permission.
  • Payment APIs: Prevent websites from accessing payment APIs without permission.

By controlling access to these features and APIs, the Permissions Policy helps to protect user privacy and prevent malicious activities. Implementing these policies ensures that only trusted and authorized scripts can access sensitive resources, thereby reducing the risk of data breaches and enhancing overall web security.

Permissions-Policy FAQ

Let’s answer some of the most common questions related to this topic.

Q: What is Permissions-Policy?

A: Permissions-Policy is a security feature that allows web developers to control which APIs and features can be used in the browser. It helps in mitigating risks by restricting access to potentially dangerous features. Regularly reviewing and updating the ‘X-Content-Type-Options’ header is also crucial to prevent MIME type sniffing, ensuring that the declared MIME type is respected by browsers and mitigating associated risks. The ‘X-Content-Type-Options’ header should be set to ‘nosniff’, which is the only valid value to enhance website security, especially for sites handling user-generated content.

How often should I review and update my Permissions-Policy?

It’s a good practice to review and update it regularly, more so when adding new features to your website or when security vulnerabilities are discovered. Stay informed about best practices and important changes in browsers.

Can I customize the Permissions-Policy for my website?

Yes, you can customize it to fit your website’s specific needs by specifying the correct directives and origins. Make sure to test your configuration to ensure compatibility and security.

Can Permissions-Policy be used to restrict access to all browser features?

While this policy can control access to many browser features and APIs, it does not cover every possible action. Some features may require additional security measures or browser-specific settings.

Does Permissions-Policy affect the performance of my website?

It should not significantly impact website performance. However, restricting access to certain features may affect user experience, particularly if those features are important for your website’s functionality.

Troubleshooting Common Issues

When implementing the Permissions Policy, website owners may encounter several common issues. One of the most frequent problems is that the policy is not being applied correctly, resulting in scripts being blocked or allowed incorrectly. To troubleshoot this issue, website owners can use the browser’s developer tools to inspect the HTTP headers and verify that the Permissions Policy header is being sent correctly.

Another common issue is that the policy is too restrictive, resulting in legitimate scripts being blocked. To address this, website owners can review the policy and adjust the directives as needed to allow legitimate scripts to function correctly. It’s important to strike a balance between security and functionality, ensuring that the policy provides adequate protection without hindering the website’s performance.

By understanding and addressing these common issues, website owners can effectively implement the Permissions Policy and enhance their website’s security and user privacy.

Understanding Security Headers

Permissions-Policy is considered a crucial tool for both internet users and developers and is used to protect our online privacy. It defines rules granting access to sensitive resources like cameras, microphones, and geolocation data, ensuring that access is given only to trusted sources and for legitimate purposes.

Formerly known as Feature Policy, Permissions-Policy has become the modern standard. It’s recommended for compatibility with contemporary browsers.

Scroll to Top