search

Found

info About

A browser-based web permissions-policy header builder tool. No data sent to server.

📘 How to Use

  1. Enable the features you want to control using the toggle switches.
  2. For each active feature, select a policy like 'self', 'all', or enter custom origins.
  3. Choose the output format for your server environment (Nginx, Apache, etc.).
  4. Copy the generated header and add it to your website's configuration.

Web Permissions-Policy Header Builder

Camera
Microphone
Geolocation
Fullscreen
Payment
WebUSB
Web Bluetooth
Display Capture
Copied!

grid_view Related

  • No related tools configured.
Article

Permissions-Policy Header Generator | Easily build secure HTTP headers

Quickly generate Permissions-Policy HTTP response headers to control which browser features (like camera, microphone, geolocation) your website and its embeds can use. This tool provides a simple interface to create complex security policies for modern web applications.

💡 Tool Overview

  • Intuitive Control: Easily enable or disable policies for common browser features such as camera, microphone, geolocation, fullscreen, and more with simple toggle switches.
  • Flexible Policies: For each feature, you can specify who is allowed to use it: no one (()), only your own origin (self), any origin (*), or a specific list of custom origins.
  • Server-Ready Snippets: Generate ready-to-use configuration snippets for various environments, including Raw HTTP Header, Nginx (add_header), Apache (.htaccess), and Node.js (res.setHeader).
  • Instant Generation: The header string is updated in real-time as you adjust your settings, allowing for quick experimentation and implementation.

🧐 Frequently Asked Questions

Q. What is the Permissions-Policy header?

A. Permissions-Policy is an HTTP response header that gives a website the ability to control which browser features and APIs can be used on the page. It helps enhance security by allowing you to explicitly disable features that are not needed, preventing them from being potentially abused by third-party content (like ads or iframes) embedded on your site. It is the modern replacement for the older Feature-Policy header.

Q. What is the difference between the 'self', '*', and 'none' policies?

A. These values define the origin(s) allowed to use a feature: - none (()): The feature is disabled for all browsing contexts, including the top-level page and all embedded frames. - self ((self)): The feature is allowed for the document's own origin and in any same-origin embedded frames. - all ((*)): The feature is allowed for all browsing contexts (the current document and all embedded frames), regardless of their origin. This is a wildcard and should be used with caution.

📚 Permissions-Policy Quick Facts

The Permissions-Policy header is a crucial tool for implementing a "least privilege" security model on the web. By default, many powerful browser APIs are accessible to any script running on your page, including those from third parties. This header allows you to lock down these features, reducing your site's attack surface. For example, if your website doesn't use a microphone, you can set microphone=() to ensure that no script, whether yours or a third party's, can ever access it. This proactive approach to security is a key part of a robust defense-in-depth strategy and complements other security headers like Content-Security-Policy (CSP).