Permissions Policy Header Generator
Generate Permissions-Policy headers for browser features like camera, microphone, geolocation, fullscreen, payment, USB, clipboard, autoplay, and more directly in your browser.
Header Settings
Permissions-Policy controls which browser features are allowed on your page and in embedded frames. Browser support can vary, so test the final header on the pages that use these APIs.
Browser Features
Choose which features to include and how each feature should be allowed. Use custom origins only when a trusted third-party origin needs access.
Camera
camera
Controls access to camera devices.
Microphone
microphone
Controls access to microphone devices.
Geolocation
geolocation
Controls browser location access.
Fullscreen
fullscreen
Controls fullscreen API access.
Payment
payment
Controls Payment Request API access.
USB
usb
Controls WebUSB access.
Serial
serial
Controls Web Serial API access.
Bluetooth
bluetooth
Controls Web Bluetooth access where supported.
Clipboard Read
clipboard-read
Controls reading from the clipboard.
Clipboard Write
clipboard-write
Controls writing to the clipboard.
Display Capture
display-capture
Controls screen sharing / display capture.
Web Share
web-share
Controls Web Share API access.
Accelerometer
accelerometer
Controls accelerometer sensor access.
Gyroscope
gyroscope
Controls gyroscope sensor access.
Magnetometer
magnetometer
Controls magnetometer sensor access.
Autoplay
autoplay
Controls autoplay for audio and video media.
Encrypted Media
encrypted-media
Controls Encrypted Media Extensions for protected media.
Picture in Picture
picture-in-picture
Controls picture-in-picture video behavior.
Passkey / WebAuthn Get
publickey-credentials-get
Controls reading public-key credentials with WebAuthn.
Screen Wake Lock
screen-wake-lock
Controls whether the page can keep the screen awake.
XR Spatial Tracking
xr-spatial-tracking
Controls spatial tracking for WebXR experiences.
Output
Generated Permissions-Policy output will appear here.
Generating Permissions-Policy Headers
Permissions-Policy is a browser security header that controls access to powerful browser features. It can block or limit APIs such as camera, microphone, geolocation, payment, USB, clipboard, fullscreen, display capture, and sensors.
This Permissions Policy Header Generator helps you build a clear header without writing every directive by hand. You can start with a strict, balanced, or media-friendly preset, then adjust each feature based on what your site actually needs.
Creating a Browser Feature Policy Header
- Choose a preset or start editing features manually.
- Set each feature to none, self, all, or custom origins.
- Generate the Permissions-Policy header.
- Review warnings for broad or custom access.
- Copy the header for your server, CDN, or hosting provider.
Common Permissions Policy Use Cases
- Blocking camera and microphone on pages that do not need them.
- Disabling geolocation for privacy-sensitive pages.
- Allowing fullscreen, picture-in-picture, or WebAuthn only for the same origin.
- Limiting payment, USB, serial, and Bluetooth APIs.
- Creating safer defaults for embedded frames.
- Preparing a modern browser security header for a website.
- Testing a policy before adding it to a CDN or hosting provider.
Example Permissions-Policy Header
Permissions-Policy: camera=(), microphone=(), geolocation=(), fullscreen=(self)
Only Allow Features You Really Need
A good Permissions-Policy header is usually restrictive. If your page does not use camera, microphone, USB, payment, or geolocation, it is safer to block those features instead of leaving access open.
Some directives may behave differently across browsers because Permissions-Policy support is still not equal everywhere. Test the final header on the pages that use browser APIs, especially if your site embeds third-party frames, payments, sign-in flows, or media tools.
Frequently Asked Questions
What is a Permissions-Policy header?
It is a browser response header that controls which browser features a page or embedded frame is allowed to use. The header can contain one directive or many comma-separated directives.
Is Permissions-Policy the same as Feature-Policy?
Permissions-Policy is the newer name and format. Feature-Policy was the older version used by some browsers in the past.
What does camera=() mean?
It means camera access is disabled for the page and its allowed contexts.
What does fullscreen=(self) mean?
It allows fullscreen only for the same origin.
Does every browser support every directive?
No. Support can vary by directive and browser version. Use the generated header as a starting point, then test the pages that actually use those browser APIs.
Is anything uploaded when I generate the header?
No. The header is generated directly in your browser.
