securitywarning impacttier 1✓ verified99% confidence
Site missing Permissions-Policy header
from security agent · cross-site verified across production deployments
The trigger
Site missing Permissions-Policy header
The fix
Add a Permissions-Policy header restricting browser features your site doesn't use. Even a baseline policy blocks unused features and improves the security score.
Code example
# Cloudflare/nginx/Vercel headers config:
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()
# Next.js next.config.js:
headers: [{
source: '/(.*)',
headers: [{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=(), interest-cohort=()' }]
}]Related patterns
securitywarning
Site missing Referrer-Policy header
securitywarning
Site missing X-Content-Type-Options header
securitycritical
Site missing X-Frame-Options header
securitycritical
Site missing HSTS (Strict-Transport-Security) header
securitycritical
Site missing Content-Security-Policy header
securityhigh
prefix_match_middleware_bug
Does your site have this security issue?
Run a free scan — we'll check all security patterns in 30 seconds.
Scan your site free →