What is the Permissions-Policy header?
Permissions-Policy is a security header that decides which browser features - camera, microphone, location, and similar - your pages and anything embedded in them are allowed to use. About 93% of Australian small business websites send no Permissions-Policy*, making it the rarest header in the set:
- The default is permissive - without it, an embedded widget or injected script can ask the browser to switch on the camera, microphone or geolocation in your site’s name.
- You allow by exception - name only the features your site genuinely uses and switch the rest off, so nothing else can quietly request them.
- Most small sites need almost nothing - a brochure or booking site rarely touches the camera or microphone, so the policy is short and safe to lock down.
Switch off the hardware features your site never uses, and a hijacked widget can no longer reach for them.