Permissions Policy Header Not Set

Risk:
Low

Type:
Passive

CWE:
CWE-693

Summary: Permissions Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers can be used by the web resources. Permissions Policy provides a set of standard HTTP headers that allow website owners to limit which features of browsers can be used by the page such as camera, microphone, location, full screen etc.

Solution: Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header.

References

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy

https://developer.chrome.com/blog/feature-policy/

https://scotthelme.co.uk/a-new-security-header-feature-policy/

https://w3c.github.io/webappsec-feature-policy/

https://www.smashingmagazine.com/2018/12/feature-policy/

Latest Security News

Top CVE List

Common Security Alerts

InformationalCORS Header
HighCross-Domain Misconfiguration - Adobe - Send
HighCross Site Scripting (DOM Based)
MediumCSP: Meta Policy Invalid Directive
LowStrict-Transport-Security Multiple Header Entries (Non-compliant with Spec)
MediumSource Code Disclosure - PHP
MediumHTTP Parameter Override
HighXML External Entity Attack
MediumHTTP Only Site
MediumHTTP to HTTPS Insecure Transition in Form Post

Common CWEs

Free online web security scanner

Don't show website scan report rating on the leaderboard