Validates Permissions-Policy header for secure browser feature controls
Validates the Permissions-Policy HTTP header configuration to ensure proper security controls for browser features and APIs
This checker validates the Permissions-Policy HTTP header configuration on websites. The Permissions-Policy header is a security mechanism that allows websites to control which browser features and APIs can be used by the page and its embedded content.
Header Presence: Verifies that the Permissions-Policy header is present in the HTTP response
Syntax Validation: Validates the header format and directive syntax
Directive Recognition: Checks if all directives are recognized and valid
Security Analysis: Analyzes security implications of directive configurations
Allowlist Validation: Validates the allowlist format for each directive
Media: camera, microphone, speaker-selection
Location & Sensors: geolocation, accelerometer, gyroscope
Payment: payment, web-share
Display: fullscreen, picture-in-picture
Storage: storage-access, browsing-topics
Privacy-sensitive: clipboard-read, clipboard-write, document-domain
The checker parses the header format: directive=("self" "https://example.com") and validates each component.
| Status | Description | Test Logic |
|---|---|---|
| SUCCESS | Permissions-Policy header is properly configured with valid directives and secure settings | - Header is present and not empty - All directives have valid syntax - No unrecognized directives - No security concerns detected - Allowlist format is correct |
| WARNING | Header is present but has potential issues that should be addressed | - Contains unrecognized directives (may be valid but not in known list) - Security-sensitive directives have overly permissive configurations - Deprecated directives are used (autoplay, encrypted-media) - Missing explicit configuration for important security directives |
| FAIL | Header is missing or contains critical errors | - Permissions-Policy header is completely missing - Header value is empty or blank - Syntax errors in directive format - Invalid allowlist syntax - Malformed directive=allowlist format |
Success Conditions:
Header exists and contains valid content
All directives match known patterns
Security analysis shows no concerns
Allowlist parsing succeeds for all directives
Warning Conditions:
Unrecognized directives (not in KNOWN_DIRECTIVES set)
Security-sensitive features with overly permissive allowlists
Use of deprecated but still functional directives
Missing explicit configuration for critical security features
Fail Conditions:
Complete absence of header
Empty or whitespace-only header value
Regex pattern matching fails for directive format
Allowlist parsing throws exceptions
Invalid syntax that cannot be parsed
Feature Abuse: Without proper restrictions, malicious scripts can access sensitive browser features like camera, microphone, or geolocation
Privacy Breaches: Unrestricted access to privacy-sensitive APIs can lead to unauthorized data collection
Cross-Origin Exploitation: Poorly configured allowlists may allow unauthorized domains to access restricted features
GDPR Violations: Failure to properly restrict data collection features may violate privacy regulations
Security Audits: Missing or misconfigured security headers can fail security assessments
Browser Warnings: Modern browsers may show security warnings for sites without proper feature controls
Browser Blocking: Browsers may block certain features if policies are not properly configured
User Experience: Unexpected feature access can confuse users and damage trust
Security Indicators: Missing security headers may cause browsers to show "not secure" indicators
Future Compatibility: Deprecated directives may break in future browser versions
Maintenance Overhead: Poorly configured policies require more maintenance and troubleshooting
Performance Impact: Unnecessary feature access can impact page performance
Add this checker to your monitoring setup and start identifying issues on your websites today.