Security
SecurityLow

Permissions-Policy

Checks for Permissions-Policy header — restricts browser feature access (camera, mic, etc.).

What this check measures

We read the `Permissions-Policy` header. If present, check it explicitly restricts camera, microphone, geolocation, payment, and USB unless actually used.

Why it matters

Prevents rogue third-party scripts (e.g., compromised ads) from silently using camera or geolocation. Defense in depth — in addition to browser permission prompts.

search

How our audit detects it

Read Permissions-Policy header, parse directive list. Flag if missing or overly permissive.

Typical findings

  • error_outlineHeader missing — all features allowed by default to all origins.
  • error_outlineFeatures used by the site (camera) not self-scoped.

How to fix

Ship a baseline `Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()`. Adjust per-feature if your site actually uses them.

Copy-paste fix prompt for your stack

Lovable · Cursor · Bolt · v0 · Replit · Windsurf · Claude Code · Base44

View the fix prompt →

Frequently asked questions

Does this replace Feature-Policy?expand_more
Yes — Feature-Policy is deprecated. Permissions-Policy is the current standard.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward