How to Configure Permissions-Policy Header in Apache & Nginx

The Permissions-Policy header is a powerful tool for enhancing the security and privacy of your website by controlling which features and APIs can be used by the browser. It replaces the older Feature-Policy header with a more refined and flexible approach. Here is a detailed guide on how to use the Permissions-Policy header effectively: 

What are Permissions-Policy?

The Permissions-Policy header allows website administrators to specify which web features and APIs are allowed or disallowed on their site. This can include features like camera access, geolocation, and more. By setting this header, you can reduce the attack surface of your site and prevent misuse of sensitive features. 

Benefits of Using Permissions-Policy

• Enhances Security: Prevents unauthorized access to sensitive APIs and features, reducing the risk of data leakage or misuse. 
• Improves Privacy: Restricts access to potentially intrusive features like geolocation or camera, protecting user privacy. 
• Controls API Usage: Limits or disables access to APIs that may not be necessary for your site, minimizing potential vulnerabilities. 

How to Set the Permissions-Policy Header

You can configure the Permissions-Policy header in your server configuration files or via .htaccess. Here is how you can do it for several types of web servers:

Apache Web Server

1. Open Your Configuration File: 

• You can set the Permissions-Policy header in the main configuration file (httpd.conf, apache2.conf) or in a specific site configuration file.

2. Add the Header:

• Add the following line to your configuration file: 

Header set Permissions-Policy "geolocation=(self), microphone=()" 

• This example policy allows geolocation requests from the same origin (self) and disallows microphone access (microphone=()). 

3. Restart Apache: 

• After making changes, restart Apache to apply the new configuration: 

sudo systemctl restart apache2

Or for CentOS/RHEL:

sudo systemctl restart httpd

Nginx Web Server

1. Open Your Configuration File: 

• Edit your Nginx configuration file, typically located in /etc/nginx/nginx.conf or in a site-specific file under /etc/nginx/sites-available/. 

2. Add the Header:

• Add the following line within the server block:

add_header Permissions-Policy "geolocation=(self), microphone=()";

3. Restart Nginx:

• Restart Nginx to apply the new configuration: 

sudo systemctl restart nginx 

Using .htaccess (Apache Only) 

1. Open Your .htaccess File: 

• Locate and edit your .htaccess file in the root directory of your site. 

2. Add the Header:

• Add the following line to set the Permissions-Policy header: 

Header set Permissions-Policy "geolocation=(self), microphone=()" 

3. Save and Exit: 

• Save the file and ensure that .htaccess is enabled in your Apache configuration. 

Example Policies

Here are some examples of Permissions-Policy header values:

• Allow Geolocation, Disallow Microphone: 

Permissions-Policy: geolocation=(self), microphone=()

• Allow Camera and Microphone, Disallow Geolocation:

Permissions-Policy: camera=(self), microphone=(self), geolocation=()

• Allow All Features from Same Origin:

Permissions-Policy: geolocation=(self), microphone=(self), camera=(self), fullscreen=(self), payment=(self)

Testing and Validation

• Browser Developer Tools: Use browser developer tools to check if the Permissions-Policy header is being applied correctly. You can find this in the Network tab under the Headers section of your HTTP responses. 
• Online Tools: Use online tools like SecurityHeaders.io to validate your Permissions-Policy header and ensure it is configured properly. 

By setting the Permissions-Policy header, you can gain better control over which features and APIs are accessible on your site, thus enhancing both security and privacy.