SecurityLow

Missing Permissions-Policy header

The Permissions-Policy header is absent. Third-party iframes and embedded scripts can access browser features (camera, microphone, geolocation) without restriction.

Why it matters

Ads or third-party scripts can activate geolocation, the camera or other sensitive APIs in the context of your site.

How to fix

  1. 1

    Via .htaccess

    apache
    <IfModule mod_headers.c>
  Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
</IfModule>
  2. 2

    Via Nginx

    nginx
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;

Related articles

SecurityMissing Referrer-Policy headerSecurityContent Security Policy (CSP) missing on WordPress

Ready to fix this issue on your site?

Audit my site for free →