Permissions-Policy Generator

Developer

Generate Permissions-Policy HTTP headers to control which browser features and APIs can be used on your site. Replaces the deprecated Feature-Policy header.

Feature Directives

camera

Camera access

microphone

Microphone access

geolocation

Location access

fullscreen

Fullscreen API

autoplay

Media autoplay

payment

Payment Request API

usb

WebUSB API

bluetooth

Web Bluetooth

serial

Web Serial API

gyroscope

Gyroscope sensor

accelerometer

Accelerometer sensor

magnetometer

Magnetometer sensor

picture-in-picture

PiP mode

display-capture

Screen capture

encrypted-media

Encrypted Media Extensions

interest-cohort

FLoC/Topics API

Quick Presets

Generated Header

Permissions-Policy: camera=(), microphone=(), geolocation=(), fullscreen=(self), autoplay=(self), payment=(), usb=(), bluetooth=(), serial=(), gyroscope=(), accelerometer=(), magnetometer=(), picture-in-picture=(self), display-capture=(), encrypted-media=(self), interest-cohort=()

Server Configuration

add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), fullscreen=(self), autoplay=(self), payment=(), usb=(), bluetooth=(), serial=(), gyroscope=(), accelerometer=(), magnetometer=(), picture-in-picture=(self), display-capture=(), encrypted-media=(self), interest-cohort=()" always;
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), fullscreen=(self), autoplay=(self), payment=(), usb=(), bluetooth=(), serial=(), gyroscope=(), accelerometer=(), magnetometer=(), picture-in-picture=(self), display-capture=(), encrypted-media=(self), interest-cohort=()"
app.use((req, res, next) => { res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=(), fullscreen=(self), autoplay=(self), payment=(), usb=(), bluetooth=(), serial=(), gyroscope=(), accelerometer=(), magnetometer=(), picture-in-picture=(self), display-capture=(), encrypted-media=(self), interest-cohort=()'); next(); });

About Permissions-Policy

Permissions-Policy (formerly Feature-Policy) is an HTTP header that controls which browser features and APIs can be used in a document or iframe.

  • Privacy Protection - Disable camera, microphone, and geolocation access
  • Performance - Control autoplay, sync-xhr, and document-domain
  • Security - Restrict payment APIs and USB/Bluetooth/Serial access
  • Compliance - Helps meet GDPR, CCPA, and other privacy regulations

What is This Tool?

A Permissions-Policy generator creates the Permissions-Policy HTTP header (formerly Feature-Policy) that controls which browser APIs and features your site can use. Restrict access to camera, microphone, geolocation, payment, and other sensitive APIs to enhance privacy and security.

Permissions-Policy uses a structured header syntax to allow or deny browser features per origin. For example, camera=(self) allows camera access only from your own origin, while geolocation=() disables geolocation entirely. This prevents embedded iframes from accessing sensitive APIs without explicit permission.

Common Use Cases

Privacy Hardening

Disable unnecessary browser APIs (camera, microphone, geolocation) to reduce your site's privacy attack surface.

Iframe Security

Control which features embedded third-party iframes can access, preventing unauthorized camera/microphone/payment usage.

Compliance

Meet privacy regulations (GDPR, CCPA) by explicitly controlling access to sensitive browser capabilities.

Security Headers Suite

Add Permissions-Policy alongside CSP, HSTS, and other security headers for comprehensive browser security.

Frequently Asked Questions

What happened to Feature-Policy?

Feature-Policy was renamed to Permissions-Policy with a new syntax. The structured header format uses key=(origin) instead of key origin.

Which features can I control?

Camera, microphone, geolocation, payment, fullscreen, autoplay, display-capture, gyroscope, magnetometer, USB, Bluetooth, and many more.

Does this affect my own site?

Yes. Setting camera=() disables camera for everyone, including your own pages. Use camera=(self) to allow your origin while blocking iframes.