Browser Feature Control
Control which browser features your site and embedded content can access. Toggle permissions, set allowlists, and copy the generated header. Read the guide.
Camera access is completely blocked. No page or embed can activate the camera.
Microphone access is completely blocked. No audio recording is possible.
Location access is completely blocked. No page can request GPS or IP-based location.
Only your own site can use the Fullscreen API. Common for video players and presentations.
Only your own site can use the Payment API. Third-party payment embeds are blocked.
Only media on your own site can autoplay. Third-party embeds must wait for user interaction.
Modern browsers expose powerful APIs like camera, microphone, and geolocation. If left unrestricted, any embedded script or iframe on your page can request access to these features. Permissions Policy lets you set an allowlist so only trusted origins can use sensitive capabilities. For a full walkthrough, see our Permissions Policy guide.
Start by blocking all features you do not use with (). Then set features you need to (self) or add specific origins. This deny-by-default approach ensures new third-party embeds cannot silently access device capabilities. Our generator guide walks through common configurations.
Permissions Policy (formerly Feature Policy) is an HTTP response header that controls which browser features your site and its embedded content can use. It lets you disable APIs like camera, microphone, and geolocation for third-party iframes, reducing the attack surface and protecting user privacy.
Content Security Policy controls which origins can load resources (scripts, styles, images). Permissions Policy controls which browser APIs and features can be used. They complement each other: CSP stops malicious code from loading, while Permissions Policy stops loaded code from accessing sensitive device capabilities.
Setting a feature to an empty allowlist () blocks it for all origins, including your own page. This is the most restrictive setting and is recommended for features your site does not use, like camera or microphone on a blog.
Yes. Explicitly blocking unused features prevents third-party scripts and iframes from accessing them without your knowledge. Even if no embed currently uses the camera, a compromised ad script could try. Blocking by default is a strong privacy practice.
The (self) setting allows the feature only for your own origin, blocking all cross-origin iframes. The * setting allows any origin to use the feature. Use self when only your own pages need the capability, and * only when you explicitly want all embeds to have access.
Open your browser DevTools and check the Console tab. Browsers log warnings when a feature is blocked by Permissions Policy. You can also use the Application tab in Chrome DevTools to inspect which permissions are allowed or blocked for each frame.
Permissions Policy works best alongside CSP, HSTS, and other headers. Run a full scan to see your complete security posture and get prioritized recommendations.
Scan your website