Permissions-Policy
Permissions-Policy (formerly Feature-Policy) controls which browser features your site can use — camera, microphone, geolocation, and more. SaaSalyst checks whether your server sends this header, detecting whether you've explicitly restricted browser feature access to minimize your attack surface.
What SaaSalyst Checks
SaaSalyst inspects the HTTP response headers for the Permissions-Policy header. The scanner checks for the header's presence — any valid policy directive satisfies the check.
Why This Matters
Permissions-Policy lets you explicitly deny browser features your site doesn't need. Without it, embedded third-party content (ads, iframes, widgets) could potentially access the camera, microphone, or geolocation without your knowledge.
For SaaS products, restricting unnecessary permissions reduces your attack surface. If your product doesn't need camera access, explicitly disabling it prevents any injected script from accessing it.
This header is part of the defense-in-depth security approach recommended by OWASP and increasingly checked in enterprise security audits.
40%
Higher secret exposure in repos using AI coding assistants
GitGuardian 2025 Report
400+
Exposed secrets found across 5,600 vibe-coded apps
Escape.tech
How to Fix It
- Add a Permissions-Policy header that restricts features you don't use: Permissions-Policy: camera=(), microphone=(), geolocation=().
- List only the features your site actually needs. Use () (empty) to deny, or (self) to allow only your own origin.
- Common features to restrict: camera, microphone, geolocation, payment, usb, bluetooth, display-capture.
- Configure in your web server, CDN, or framework's header configuration.
Frequently Asked Questions
How does SaaSalyst check for Permissions-Policy?
SaaSalyst inspects your HTTP response headers for a Permissions-Policy header. Any valid policy directive satisfies the check.
What is Permissions-Policy?
Permissions-Policy controls which browser features (camera, microphone, geolocation) your site and embedded content can access. SaaSalyst checks for it because it reduces your attack surface.
How does Permissions-Policy affect my Business Readiness Score?
SaaSalyst rates Permissions-Policy as low severity in Security & Infrastructure. It's part of comprehensive security header coverage and shows defense-in-depth security practices.
References & Official Sources
Official regulatory and standards sources relevant to the checks SaaSalyst runs on your site.
- OWASP Top 10— OWASP
- Security Headers Reference— Mozilla
- HSTS Preload List— Google
Check Your SaaS Now — Free
SaaSalyst scans your website in 30 seconds and checks for Permissions-Policy along with 40+ other business readiness signals.
Scan Your App