Permissions-Policy Header
The Permissions-Policy header controls which browser features (camera, microphone, geolocation, etc.) can be used on your site. SaaSalyst checks whether your server sends this header to restrict potentially sensitive browser APIs.
What SaaSalyst Checks
SaaSalyst inspects the HTTP response headers from your server for the Permissions-Policy header. The scanner checks for its presence — if found, the check passes; if absent, it triggers a warning.
Why This Matters
Without a Permissions-Policy header, any third-party script or embedded iframe on your page can access browser features like the camera, microphone, and geolocation.
For SaaS products that embed third-party widgets, analytics, or ads, this header is an important security boundary. Security teams specifically look for this header during vendor assessments.
How to Fix It
- Add a Permissions-Policy header to your server responses. Example: Permissions-Policy: camera=(), microphone=(), geolocation=()
- For Next.js, configure this in next.config.js headers section.
- Start restrictive (deny all) and selectively enable features your app actually needs.
Frequently Asked Questions
How does SaaSalyst check for Permissions-Policy?
SaaSalyst inspects your server's HTTP response headers for the Permissions-Policy header. Its presence indicates you have restricted browser feature access for your site.
How does Permissions-Policy affect my Business Readiness Score?
SaaSalyst rates Permissions-Policy as medium severity in Security & Infrastructure. Its absence is flagged as a warning because it represents a security hardening opportunity.
Check Your SaaS Now — Free
SaaSalyst scans your website in 30 seconds and checks for Permissions-Policy Header along with 78+ other business readiness signals.
Scan Your App