VSPIC
Developer Tools

Permissions Policy Checker — Feature-Policy Header Scan

Read checks.permissionsPolicy — disable camera, geolocation, payment, and other powerful browser APIs by default

How to Use This Tool

  1. Enter full public URL with https:// scheme.
  2. SSRF-safe fetch collects response headers.
  3. checks.permissionsPolicy accepts permissions-policy or feature-policy header.
  4. Present earns eleven points; absence adds permissionsPolicy to missing.
  5. recommendations suggest disabling unused powerful features.
  6. Parse value tokens for camera, microphone, geolocation, payment restrictions.

About This Tool

Permissions-Policy (formerly Feature-Policy) restricts powerful browser features — camera, microphone, geolocation, payment, USB, and dozens more — unless explicitly allowed for your origin and embedders. VSPIC permissions-policy-checker calls security-headers with your URL, returning checks.permissionsPolicy present flag and value from permissions-policy or legacy feature-policy header names, plus full checks, grade, missing, recommendations, and headers map.

Default-deny policies reduce blast radius when attacker scripts execute despite CSP gaps. Review checks.permissionsPolicy alongside checks.csp — full security-headers JSON matches security-headers-checker backend with permissions-focused SEO.

Common use cases

  • Inspect HTTP headers and user-agent strings
  • Analyze email headers for phishing investigation
  • Generate strong passwords for staging environments

Why use VSPIC for ?

  • checks.permissionsPolicy for modern and legacy header names.
  • Full security-headers audit context in one request.
  • recommendations for disabling unused browser capabilities.
  • Grade and missing arrays for program-level tracking.
  • Truncated value preview with full headers map expand.
  • Free scan — CI integrate via security-headers API.

Permissions-Policy purpose

Even with CSP, script bugs happen. Permissions-Policy limits which APIs compromised scripts may invoke — geolocation exfiltration, microphone capture, or payment request abuse. Default deny with explicit allowlists for needed features is modern baseline.

checks.permissionsPolicy.value shows truncated policy string — inspect full headers map for long policies.

Legacy Feature-Policy name

Older deployments send Feature-Policy header. Backend scoring accepts either permissions-policy or feature-policy header name for present boolean — both populate checks.permissionsPolicy.value.

Migrate to Permissions-Policy name for spec alignment while maintaining equivalent tokens.

Common tokens to restrict

camera=(), microphone=(), geolocation=(), payment=(), usb=() disable features entirely for origins that do not need them. Adjust allowlists for embedded third-party widgets deliberately.

Overly broad allow * defeats purpose — presence alone does not imply strict posture.

Relationship to security-headers-checker

permissions-policy-checker, referrer-policy-checker, x-frame-options-checker, and x-xss-protection-checker share action security-headers. Canonical scored audit: security-headers-checker page.

API: GET /ip-tools/api/extended?action=security-headers&url=https://example.com

Interaction with CSP

CSP script-src and Permissions-Policy complement each other — neither replaces the other. checks.csp in same JSON shows CSP presence for holistic review.

Iframe embedders inherit feature policies — test embedded checkout flows after tightening.

Deployment by platform

Nginx add_header Permissions-Policy "camera=(), microphone=(), geolocation=()"; on HTML routes. CDNs often expose header rule builders — apply consistently at edge.

SPAs with client routing need server config covering all paths — not only index.html if server varies.

Reading score and recommendations

Eleven points when any permissions or feature policy header present. recommendations array suggests adding policy when missing.

Track missing permissionsPolicy across staging and production weekly — header regressions follow infra changes.

Authorized use

Scan properties you operate. Passive header read only.

We do not permanently store URL scans.

Important notes & limitations

  • Presence scoring — permissive allow * tokens still earn points.
  • Does not test whether features actually work in browser UI.
  • Single URL snapshot — embed contexts may differ per route.
  • Feature token lists evolve — manual review of value string required.
  • Some frameworks set policy in middleware inconsistently across routes.

Frequently Asked Questions

Yes. VSPIC offers this Permissions-Policy checker at no cost with no account required. Results load in real time.

We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.

Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.

Same concept — modern name is Permissions-Policy. Backend accepts either header for checks.permissionsPolicy.present.

security-headers with the url parameter.

No. Presence earns score points. Review value tokens — allow * is permissive despite presence.

Same API and JSON. This page emphasizes checks.permissionsPolicy SEO.

Disable camera, microphone, geolocation, payment, and USB unless your application explicitly needs them.

Yes, but JSON APIs often omit Permissions-Policy — acceptable when browsers never render HTML from that origin.

Next step for your check

Continue with security headers checker on VSPIC.

Security Headers Checker

Related Tools

Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.

Browse all toolsComparison guides

Trusted by Users Who Value Privacy

Always Free

No premium plan ever

100% Private

Files processed in browser

Instant Results

Convert in seconds

Works Everywhere

Any device, any OS