Permissions-Policy

Permissions Policy Checker

Name: VAPT Experts Security Headers Scanner
Author: VAPT Experts

Verify your Permissions-Policy (formerly Feature-Policy) configuration. This tool checks whether your site restricts third-party access to powerful browser APIs including camera, microphone, geolocation, and payment — and shows you what to add.

✓Free to use✓No registration required✓No scan history stored✓Browser-first analysis✓PDF report export✓Copy-paste fixes

What is Permissions-Policy?

The Permissions-Policy HTTP header (previously known as Feature-Policy) allows a site to control which web platform features and APIs can be used in the browser, both for the page itself and for content within iframes. By disabling features your site doesn't use, you limit what a compromised third-party script can do.

Why It Matters

Modern websites load dozens of third-party scripts: analytics, advertising, chat widgets, A/B testing tools. If any of these scripts are compromised through a supply chain attack, they could access device APIs without user consent. A Permissions-Policy that disables camera, microphone, and geolocation for your origin prevents even compromised scripts from activating these sensitive hardware APIs.

Common Configuration Mistakes

✗Omitting the header entirely — all features default to available
✗Using Feature-Policy syntax instead of Permissions-Policy (different syntax)
✗Granting access to all features with a permissive policy
✗Not testing that legitimate features still work after restriction
✗Applying restrictions too broadly, breaking embedded video or maps

Recommended Configuration

Permissions-Policy

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), accelerometer=(), gyroscope=(), magnetometer=()

Get platform-specific configs in the Fix Generator

Frequently Asked Questions

What is the difference between Feature-Policy and Permissions-Policy?

Feature-Policy was the original name, now deprecated. Permissions-Policy is the current standard. The syntax also changed: Feature-Policy used "none" while Permissions-Policy uses empty parentheses "()" to disable a feature.

Will disabling geolocation break my site?

Only if your site actively uses the Geolocation API via JavaScript. If you're not using it, restricting it is safe and recommended. The user can still grant permissions explicitly if you request them through the Permissions API.

Does Permissions-Policy affect iframes?

Yes. By default, restrictions you apply to your origin also restrict iframes unless you explicitly delegate permissions. This is a significant security benefit for sites with embedded content.

Related Tools & Guides

Security Headers Checker Content Security Policy Checker Nginx Security Headers Generator

Need Professional Web Application Security Testing?

This scanner checks visible headers. VAPT Experts provides professional web application penetration testing, API security testing, and compliance-ready security reports.

Request VAPT Assessment