jquery.app
English
EnglishDeutschFrancaisEspanol日本語Nederlands

SEO Tools

Permissions-Policy Header Generator

Choose which browser features to allow or deny, set per-feature origin policies, and get the Permissions-Policy header plus matching iframe allow examples.

Loading tool...

What is Permissions-Policy Header Generator?

The Permissions-Policy header (formerly Feature-Policy) tells the browser which APIs and features the page and its embedded iframes can use. It controls access to camera, microphone, geolocation, fullscreen, payment, and other browser features. This is useful for static sites that want to set a clear security baseline without complex server configuration.

Quick answer

Use Permissions-Policy to disable browser features -- such as camera, microphone, geolocation, and autoplay -- that your site does not need. This improves privacy and prevents third-party scripts from accessing sensitive APIs.

Limitations

  • Permissions-Policy requires deployment via an HTTP header. GitHub Pages and many static hosts do not support custom headers; use the allow attribute on iframes or configure the host to send the header.
  • The older Feature-Policy header is deprecated. Browsers that support Permissions-Policy no longer process Feature-Policy.
  • Some browser features such as gamepad and screen-wake-lock are not yet supported in all browser engines.

How to use this tool

  1. Select a preset that matches your site type, or choose Custom to set each permission individually.
  2. For each browser feature, choose whether to allow it for all origins, same origin only, or deny it entirely.
  3. Copy the generated Permissions-Policy header into your server or hosting configuration.
  4. Use the iframe allow examples when you need per-iframe overrides.

What you can use it for

  • Set a default deny-all policy and only enable features your site actually uses.
  • Allow fullscreen and autoplay for a media-rich static site.
  • Prepare a security header for Netlify, Cloudflare Pages, Vercel, or GitHub Pages.

Use cases

Practical examples

Example

Minimal static site policy

A content site with no camera, mic, or payment needs denies everything except fullscreen for embedded videos. The generator creates a clean one-line header.

Example

Media tool site policy

A web tool site that uses camera and fullscreen can allow those features for its own origin while blocking everything else, including in embedded iframes.

Common mistakes

  • Setting a restrictive policy header but forgetting that iframes need their own allow attribute overrides.
  • Allowing sensitive features such as camera or microphone for all origins with a wildcard.
  • Forgetting that GitHub Pages does not support custom HTTP headers, so the generated policy must be delivered via a meta tag or applied at the CDN level.

Verification

  1. Inspect the Response Headers tab in DevTools Network panel to confirm the Permissions-Policy header is present.
  2. Test that blocked features generate a clear console warning rather than silently failing.

FAQ

Questions about Permissions-Policy Header Generator

Can Permissions-Policy be delivered as a meta tag?

Yes. You can use <meta http-equiv="Permissions-Policy" content="..."> as an alternative when server headers are not available, such as on GitHub Pages.

What is the difference between Permissions-Policy and iframe allow?

The Permissions-Policy header sets the default policy for the page and all embedded contexts. The iframe allow attribute can only relax restrictions, never tighten them beyond the page policy.

Which browsers support Permissions-Policy?

Chrome 88+, Edge 88+, Firefox 116+, and Safari 16.1+. The older Feature-Policy header is deprecated and should be replaced with Permissions-Policy.

Related tools

More seo tools

Also try

Also try