Permissions-Policy (the successor to Feature-Policy) disables powerful browser APIs — camera,
microphone, geolocation, and more — so a compromised script or embedded iframe can’t quietly use
them.
A sensible default
Disable the sensitive features most sites never use:
Permissions-Policy: geolocation=(), camera=(), microphone=(), payment=(), usb=(), interest-cohort=()
Empty () means “no origin may use this feature” (not even your own). To allow your own site, use
(self); to allow a specific origin, ("https://example.com").
Nginx
add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=()" always;
Apache
Header always set Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=()"
Caddy
header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=()"
_headers
/*
Permissions-Policy: geolocation=(), camera=(), microphone=(), payment=(), usb=()
Allow a feature for your own site
If your page genuinely needs, say, geolocation:
Permissions-Policy: geolocation=(self), camera=(), microphone=()
Verify
curl -sI https://yourdomain.com | grep -i permissions-policy
Syntax note: values use the new structured syntax — feature=(allowlist), comma-separated.
This differs from the old Feature-Policy syntax (geolocation 'none'). Use Permissions-Policy;
Feature-Policy is deprecated. interest-cohort=() opts out of legacy FLoC and is harmless to keep.