Permissions-Policy Header Example: Deny All

by Posted on

It’s recommended to secure your server or web app by only requiring browser permissions you really need. Unfortunately as for this browser permissions header, there is no single keyword catch-all permission ban.

What if you just have a static website and do not require any permissions? Or your web app does not need access to geolocation, microphone or anything else. What about some deny all single header value? Unfortunately, nothing like that exists yet as evidenced by this issue on Github.

The best you can do is to inflate your headers by around 1.8 KB by using this header monster:

Permissions-Policy: accelerometer=() all-screens-capture=() ambient-light-sensor=() attribution-reporting=() autoplay=() bluetooth=() browsing-topics=() camera=() captured-surface-control=() ch-dpr=() ch-device-memory=() ch-downlink=() ch-ect=() ch-prefers-color-scheme=() ch-prefers-reduced-motion=() ch-prefers-reduced-transparency=() ch-rtt=() ch-save-data=() ch-ua=() ch-ua-arch=() ch-ua-bitness=() ch-ua-platform=() ch-ua-model=() ch-ua-mobile=() ch-ua-form-factors=() ch-ua-full-version=() ch-ua-full-version-list=() ch-ua-platform-version=() ch-ua-wow64=() ch-viewport-height=() ch-viewport-width=() ch-width=() clipboard-read=() clipboard-write=() compute-pressure=() controlled-frame=() cross-origin-isolated=() deferred-fetch=() digital-credentials-get=() direct-sockets=() direct-sockets-private=() display-capture=() document-domain=() encrypted-media=() execution-while-out-of-viewport=() execution-while-not-rendered=() fenced-unpartitioned-storage-read=() focus-without-user-activation=() fullscreen=() frobulate=() gamepad=() geolocation=() gyroscope=() hid=() identity-credentials-get=() idle-detection=() interest-cohort=() join-ad-interest-group=() keyboard-map=() local-fonts=() magnetometer=() media-playback-while-not-visible=() microphone=() midi=() otp-credentials=() payment=() picture-in-picture=() popins=() private-aggregation=() private-state-token-issuance=() private-state-token-redemption=() publickey-credentials-create=() publickey-credentials-get=() run-ad-auction=() screen-wake-lock=() serial=() shared-autofill=() shared-storage=() shared-storage-select-url=() smart-card=() speaker-selection=() storage-access=() sub-apps=() sync-xhr=() unload=() usb=() usb-unrestricted=() vertical-scroll=() web-app-installation=() web-printing=() web-share=() window-management=() xr-spatial-tracking=()

You can take this header and use it on both Apache and nginx. Or you can add it to your PHP script and use it there by using its header function.

Have a comment? Join discussion on Mastodon as a reply to: @dusoft@fosstodon.org