Permissions Policy Header Not Set
Reference
Plugin Id: 10063 | CWE: 693
Remediation
To fix the “Permissions Policy Header Not Set” vulnerability, you need to add the Permissions-Policy header to your web server configuration. This header allows you to specify which browser features can be used by your web resources. By setting appropriate permissions, you can restrict unauthorized access or usage of sensitive features such as camera, microphone, location, and full screen.
To add the Permissions-Policy header, follow these steps:
- Apache: Add the following line to your
.htaccess
file or Apache configuration file:Header set Permissions-Policy "camera=(), microphone=(), geolocation=(), fullscreen=()"
- Nginx: Add the following line to your Nginx configuration file within the
http
block:add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), fullscreen=()";
- IIS: Open the IIS Manager, select your website, and go to the “HTTP Response Headers” feature. Add a new header with the name “Permissions-Policy” and the value “camera=(), microphone=(), geolocation=(), fullscreen=()”.
Make sure to adjust the permissions according to your specific requirements. For example, if your website requires camera access, you can remove the camera=()
part from the header value.
About
The Permissions Policy Header is an added layer of security that helps restrict unauthorized access or usage of browser/client features by web resources. It ensures user privacy by limiting or specifying which features of the browser can be used by web resources. By setting the Permissions-Policy header, website owners can control access to features such as camera, microphone, location, and full screen.
Risks
If the Permissions Policy Header is not set, web resources may have unrestricted access to sensitive browser features. This can lead to potential privacy breaches, unauthorized data collection, or misuse of user resources. Attackers could exploit these features to capture sensitive information, record audio/video without consent, track user locations, or force the browser into full-screen mode without user interaction. It is crucial to set the Permissions Policy Header to mitigate these risks and protect user privacy.