Home / Tools / Configure Permissions-Policy to disable unused browser features
Security Headers · Scan Check Guide

Configure Permissions-Policy to disable unused browser features

15 min Impact: medium Effort: medium ✓ Scan-verified — no manual checkbox

Permissions-Policy lets you explicitly turn off browser features your site doesn't use — camera, microphone, geolocation, USB access — so that even if a third-party script or a compromised ad gets injected into your page, it can't silently request access to hardware it has no legitimate reason to touch.

Without this, scripts on your page can request access to camera, microphone, and geolocation. Disabling features you don't use eliminates that attack surface entirely.

How to fix it

  1. 1
    List what your site actually needs
    Most sites use none of camera, microphone, geolocation, or payment APIs — confirm which (if any) you genuinely use.
  2. 2
    Write a restrictive policy
    Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=() disables all four; add back only what you actually use with your own domain in the allowlist.
  3. 3
    Add the header
    Set it in your server config or CDN, and test that any feature you DID allow still works.

Common mistakes

How you'll know it's done

The Permissions-Policy header is present and disables browser features your site doesn't actually use.

Tools that help

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →