Permissions-Policy header not implemented
Description
The Permissions-Policy HTTP response header is not configured on the application. This header enables web applications to control which browser features and APIs can be used in the current document and embedded iframes, providing defense-in-depth against malicious third-party content and reducing the attack surface by disabling unnecessary functionality.
Remediation
Implement the Permissions-Policy header to explicitly control which browser features your application requires. Configure the header in your web server or application framework to allow only necessary features and deny all others by default.
Example configuration for common web servers:
Apache (.htaccess or httpd.conf):
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=()"
Nginx:
add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=()" always;
Application-level (Node.js/Express):
app.use((req, res, next) => {
res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=()');
next();
});Customize the policy based on your application's actual requirements. Use
self to allow features for your own origin, or specify trusted origins in parentheses. Review the W3C Permissions Policy specification for a complete list of available directives and syntax.