HTTP security headers

Permissions-Policy

How Permissions-Policy restricts which browser features your pages can use, and how WebGuard flags a missing policy.

Last updated June 9, 2026

What it is

Permissions-Policy is a response header that declares which browser features (camera, microphone, geolocation, and others) a page and the content it embeds are allowed to use.

Why it matters

Disabling features you don't need shrinks what a compromised script or an embedded third party can reach. Granting capabilities explicitly and denying the rest by default is a low-effort way to limit the blast radius of a front-end compromise.

How WebGuard checks it

WebGuard reads your response headers and reports whether a Permissions-Policy is present. It only inspects headers your public site already returns.

A sensible starting configuration:

Permissions-Policy: geolocation=(), camera=(), microphone=()

Check this on your own domain

WebGuard reviews this alongside the rest of your external exposure in a single read-only pass. Run a free review, or see everything it covers.