How to Add a Permissions-Policy Header

Restrict which browser features (camera, mic, geolocation) the page and its iframes can use.

Easy Low Impact 5 min

Why It Matters

Permissions-Policy lets you explicitly disable powerful browser APIs your site doesn't use — so a compromised script or embedded iframe can't silently access the camera, microphone or location.

How to Fix

Disable what you don't use

List the features and set them to () (no origins allowed) unless you genuinely need them.

Send the header

Add it as a site-wide response header.

Code Fix

http

Before (broken)

# No Permissions-Policy header

After (fixed)

Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()

Platform-Specific Instructions

WordPress

Add via a security-headers plugin or .htaccess.

Next.js

Add under headers() in next.config.js.

Check with our tool

HTTP Header Checker

Want to find all issues at once?

Run a free audit and get a prioritized fix list with auto-generated code.

Run a free audit