Free Tool

Free Permissions-Policy Checker

Check whether a website restricts access to browser features like camera, microphone, and geolocation with a Permissions-Policy header.

Free and instant. No account or signup needed.

What the Permissions-Policy header does

Permissions-Policy, formerly known as Feature-Policy, is a response header that lets a website decide which powerful browser features the page is allowed to use. It covers things like the camera, microphone, geolocation, payment requests, fullscreen, and more. The site declares a policy once, and the browser enforces it for the page and for any content the page embeds in an iframe.

That last part is what makes the header valuable for security. A modern page often pulls in third party scripts and embedded widgets, and any of them can try to call a sensitive browser API. Without a Permissions-Policy, the browser has no instruction to push back, so an embedded analytics script or ad frame can prompt a visitor for their camera or location. With a policy in place, the browser blocks features you have turned off before the request ever reaches the user, no matter who tries to call them.

How to set a Permissions-Policy

A policy is a list of features, each paired with the origins allowed to use it. An empty list disables a feature for everyone, and the keyword self limits it to your own origin. For example, camera=(), microphone=(), geolocation=(self) switches off the camera and microphone entirely and keeps geolocation scoped to your site. The safest approach is to disable every feature you do not actively use, then open up only the ones your pages genuinely need. When you are ready to write the header, the free Permissions Policy generator builds a complete policy you can copy straight into Nginx, Apache, or your app.

Frequently asked questions

What is a Permissions-Policy checker?

A Permissions-Policy checker inspects the Permissions-Policy header a website returns and tells you whether the site limits powerful browser features like camera, microphone, and geolocation. SiteSecurityScore checks this live by scanning the URL you enter.

What does the Permissions-Policy header do?

The Permissions-Policy header, formerly called Feature-Policy, lets a site declare which browser features the page and any content it embeds in iframes are allowed to use. You can disable features you do not need so embedded third party content cannot quietly request them.

Why does a missing Permissions-Policy matter?

Without a Permissions-Policy, embedded third party content can ask for access to powerful features such as the camera, microphone, and location. An explicit policy that turns off the features you do not use shrinks that surface and keeps embedded scripts from requesting more than they need.

How do I set a Permissions-Policy header?

List each feature followed by an allowlist of origins that may use it, separated by commas. For example, camera=(), microphone=(), geolocation=(self) disables camera and microphone for everyone and allows geolocation only for your own origin. Our free Permissions Policy generator builds a complete header you can copy into your server.

Does this checker scan a live site?

Yes. Enter a URL and SiteSecurityScore fetches the live response, reads the Permissions-Policy header, and reports what it found in seconds. No account or signup is required.

Related tools

Permissions Policy GeneratorSecurity Headers CheckerPermissions Policy guide

Check every layer in one scan

This checker covers one piece. Run a full SiteSecurityScore scan for your security headers, CSP, TLS, DNS, and cookies with a letter grade and copy and paste fixes. No account required.

Run a full scan