Security headers · Check

Permissions-Policy missing — denying camera, mic, and geolocation defaults

Permissions-Policy controls which browser features (camera, microphone, geolocation, sensors, payment) your origin and its embeds can use. Defaults vary by browser, so explicit denies make the contract clear.

Real-world risk

Powerful features (camera, mic, geolocation) default to permissive behavior; supply-chain or XSS abuse is harder to contain.

Fix steps (in order)

Add Permissions-Policy with explicit denies, e.g.: Permissions-Policy: camera=(), microphone=(), geolocation=()
Allowlist only origins that truly need a feature.

Topic explainer

What is Content Security Policy (CSP)? A practical explainer →

An accessible explanation of Content Security Policy: what it does, why it exists, the directives that matter, and how to roll one out without breaking your app.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (missing_permissions_policy) clears once the externally-observable signal is in place.

Run a free scan Methodology