The Feature-Policy header is a security header that allows website administrators to control and restrict the availability of certain browser features and APIs on their web pages.
By using the Feature-Policy header, administrators can specify which features are allowed or denied, helping to enhance security and privacy.
Purpose of Feature-Policy
The primary purpose of the Feature-Policy header is to provide granular control over browser features and APIs to mitigate potential security and privacy risks. This header allows administrators to define a policy for specific features, restricting their use to certain origins or disabling them altogether.
How Feature-Policy Works
The Feature-Policy header supports 9 directives, each corresponding to a specific feature or API. These directives allow administrators to control the behavior of the specified features.
Those directives include:
accelerometer | Controls the use of the device’s accelerometer. |
camera | Controls access to the user’s camera. |
geolocation | Controls access to the user’s geolocation. |
gyroscope | Controls the use of the device’s gyroscope. |
magnetometer | Controls the use of the device’s magnetometer. |
microphone | Controls access to the user’s microphone. |
payment | Controls access to the Payment Request API. |
usb | Controls access to USB devices. |
vr or xr | Controls access to virtual or augmented reality features. |
This example sets the Feature-Policy header to allow geolocation from the same origin ('self'), disallow camera access ('none'), and allow microphone access from the same origin ('self').
Feature-Policy: geolocation 'self'; camera 'none'; microphone 'self'
Configure Feature-Policy via Web Servers
More detailed instructions on how to configure security headers available here. Below assumes you know where to configure the headers relative to web server type:
Apache
<IfModule mod_headers.c>
Header always set Feature-Policy "geolocation 'self'; camera 'none'; microphone 'self'"
</IfModule>
NGINX
add_header Feature-Policy "geolocation 'self'; camera 'none'; microphone 'self'";