Development, Security

Feature Policy: Control access to browser APIs to strengthen security and privacy

Posted on by Sven CAILTEUX
21
May

This post is also available in: Français (French)

The Feature-Policy HTTP header (now renamed Permissions-Policy) gives you granular control over browser APIs (geolocation, camera, microphone, payment, fullscreen, etc.). By limiting or disabling these features, you reduce the attack surface and protect your visitors’ privacy.

What is the Feature-Policy / Permissions-Policy header?

Specified by the W3C, this header defines, through a series of directives, which APIs are allowed, restricted, or prohibited for your domain and its subresources.

Why implement?

  • Strengthen security by blocking unnecessary APIs.
  • Improve privacy by disabling sensors on non-critical pages.
  • Mitigate drive-by attacks where a malicious script could activate an API.
  • Apply the principle of least privilege.

Key Guidelines and Examples

  • geolocation ‘self’: geolocation only on your domain.
  • camera ‘none’: camera access prohibited.
  • microphone ‘none’: microphone access denied.
  • payment ‘self’: Payment API on your domain.
  • fullscreen *: fullscreen allowed everywhere.

Strict example in Feature-Policy:

Feature-Policy: geolocation 'self'; camera 'none'; microphone 'none'; payment 'self'; fullscreen *

New Permissions-Policy syntax:

Permissions-Policy: geolocation=(self), camera=(), microphone=(), payment=(self), fullscreen=*

Deployment Steps

  1. Audit of your API usage.
  2. Report-only reporting to collect violations.
  3. Adjust until no alerts.
  4. Switching to blocking mode in production.
  5. Continuous monitoring via logs and updates.

Configuration examples

Nginx

add_header Permissions-Policy "geolocation=(self), camera=(), microphone=(), payment=(self), fullscreen=*" always;

Apache (.htaccess)

<IfModule mod_headers.c>
Header always set Permissions-Policy "geolocation=(self), camera=(), microphone=(), payment=(self), fullscreen=*"
</IfModule>

WordPress (functions.php)

add_action('send_headers', function(){
  header("Permissions-Policy: geolocation=(self), camera=(), microphone=(), payment=(self), fullscreen=*");
});

Our implementation services

At Dimension Internet, we carry out:

  • auditing your API usage,
  • the definition and deployment of the policy in report-only then in blocking mode,
  • pre-production testing,
  • continuous monitoring and updates.

Conclusion

The Feature-Policy (or Permissions-Policy) header is a powerful tool for locking down browser APIs, reducing the attack surface, and preserving user privacy. Dimension Internet supports you from the initial audit to maintenance for optimal deployment.

Leave a Reply

Your email address will not be published. Required fields are marked *