Seoxpert.io
Get started
lowSecurity

Missing Permissions-Policy Header

The Permissions-Policy HTTP header is missing, allowing unrestricted access to sensitive browser APIs.

By Seoxpert Editorial · Published

Why it matters

Without the Permissions-Policy header, third-party scripts on your site may access sensitive APIs like geolocation, camera, or microphone without user awareness. This can increase privacy risks for users and potentially expose your site to security vulnerabilities, which may erode user trust and indirectly impact SEO.

Impact

Leaving this unresolved allows third-party scripts unrestricted access to powerful browser features, increasing privacy and security risks.

How it's detected

An automated crawler checks HTTP response headers and flags pages where the Permissions-Policy header is absent.

Common causes

  • Lack of awareness about the Permissions-Policy header and its benefits.
  • Web server or framework configuration does not include the header by default.
  • Legacy codebases that predate the Permissions-Policy standard.
  • Reliance on third-party hosting or CDNs that do not set the header automatically.

How to fix it

Add a Permissions-Policy HTTP header to your server or application configuration. Specify which browser features should be restricted, such as geolocation, camera, and microphone. For example, use 'Permissions-Policy: geolocation=(), microphone=(), camera=()' to deny all access to these features. Update your web server (e.g., Apache, Nginx) or application code to include this header in all responses.

Code examples

Apache: Add Permissions-Policy header

Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"

Nginx: Add Permissions-Policy header

add_header Permissions-Policy "geolocation=(), microphone=(), camera=()";

Express.js: Set Permissions-Policy header

app.use((req, res, next) => {
  res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
  next();
});

FAQ

What is the Permissions-Policy header?

It is an HTTP header that controls which browser features and APIs can be used by the page and its embedded resources.

Does missing Permissions-Policy affect SEO rankings directly?

No, but it can impact user trust and security, which are important for overall site quality.

Which features should I restrict with Permissions-Policy?

Restrict features your site does not use, such as geolocation, camera, and microphone, to reduce security risks.

How do I check if my site sets the Permissions-Policy header?

Use browser developer tools or online header checkers to inspect the HTTP response headers for your pages.

Found this issue on your site?

Run a scan to see if Missing Permissions-Policy Header affects your pages.

Scan my website →