What is Permissions-Policy?
Modern browsers give websites access to powerful device features — camera, microphone, geolocation, payment systems, video autoplay, and much more. By default, any script on your page, including third-party ones — analytics, ads, widgets — can attempt to use these features without your knowledge, such as accessing the camera or your payment system.
The Permissions-Policy header allows you to control which browser APIs are available on your site and to whom. You explicitly specify: "Camera — blocked. Microphone — blocked. Geolocation — only for my domain. Fullscreen mode — allowed." Anything not permitted will be blocked by the browser, even if a third-party script tries to use it. This is exactly what the Permissions-Policy header does — it defines what is allowed, and everything not listed is denied.
This is especially important if your site uses third-party services. Even a trusted analytics script can be compromised to interact with your device's features — and without Permissions-Policy it would gain access to the user's camera or microphone. With this header, such a scenario is blocked by default.
What do you need to do to enable this protection?
To restrict access to device features on your site, add the following header to your web server configuration. Choose the example below depending on which server you use.
Nginx
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), autoplay=(), fullscreen=(self), display-capture=()" always;Apache
Header set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), autoplay=(), fullscreen=(self), display-capture=()"Before using these settings, make sure you don't block something your site actually needs. For example, if you have a video player, maps, or payment forms, ensure that the required permissions are not blocked. For instance, don't disable fullscreen if your site has video content.
Also, don't forget to update the header when adding new services — when integrating new third-party tools (maps, payment forms, video calls), always check whether your current policy blocks the permissions they require.
It's also worth noting that by default, most features are available to any script on the page, including third-party ones. Without this header, you have no control over what accesses the camera, microphone, and other APIs — always keep this in mind.
Proper Permissions-Policy configuration ensures that no script on your site gains access to device features without your explicit permission.