Permissions-Policy Header Checklist

Lock down browser feature access before third-party embeds and scripts increase risk.

1. Start from deny-by-default and allow only required capabilities.

2. Restrict camera, microphone, geolocation, and payment features first.

3. Verify iframe allowlists for each trusted origin individually.

4. Remove deprecated directives and keep syntax aligned with current spec.

5. Retest after adding analytics, chat widgets, or media providers.

6. Keep policy review in release checklist for frontend changes.

Implementation notes

Document which team owns each directive. Most policy drift happens after embed changes, so ownership and release checklists are more effective than one-off audits.

Permissions Policy Checker
Header Analyzer
All security tools

FAQ

Can I rely on browser defaults? No. Defaults vary and can change, so explicit directives are safer.

Do I need to test on mobile? Yes. Feature access behavior can differ by platform and WebView engine.

Permissions-Policy Header Checklist

Implementation notes

Related pages

FAQ