SEOLZ

Missing permissions policy

Quick win

Add a Permissions-Policy HTTP response header to explicitly restrict which browser features (camera, microphone, geolocation, etc.) your store's pages are allowed to use.

What it is

The Permissions-Policy header (formerly called Feature-Policy) is a security instruction your web server sends to every visitor's browser. It acts like a bouncer's list for powerful browser features — it tells the browser exactly which features your site is allowed to use, and blocks everything else. For example, you can declare that your store never needs access to a visitor's camera, microphone, or precise location, so even if malicious code was somehow injected into your page, the browser would refuse to grant that access. Without this header, browsers apply loose default rules, leaving those features potentially available to any script running on your pages.

Why it matters

Missing this header is flagged under OWASP A05:2021 (Security Misconfiguration) — one of the most common vulnerability categories found on real sites. If third-party scripts (ad networks, chat widgets, analytics) or injected malicious code try to silently access a shopper's camera, microphone, or location, nothing at the browser level stops them without this header. For an ecommerce store, that is a direct privacy and trust risk: a single reported incident of covert data capture can destroy customer confidence and trigger GDPR/CCPA regulatory scrutiny. Adding this header is a low-effort, high-signal security hardening step that security auditors and increasingly Google's ranking systems look for as a mark of a trustworthy site.

How to fix it

  1. Decide which browser features your store legitimately needs. Most stores need none of the sensitive ones (camera, microphone, geolocation, payment, USB, etc.), so the safest default is to disable them all.
  2. Compose your Permissions-Policy header value. A safe baseline for most stores is: `camera=(), microphone=(), geolocation=(), payment=(), usb=(), fullscreen=(self)`. Each empty `()` means 'no origin, including your own, may use this feature'; `(self)` means only your own origin may use it.
  3. Deliver the header on every HTTP response from your store — ideally at the server/CDN/edge level so it applies to all pages automatically, not just one template.
  4. If you use a CDN or reverse proxy (Cloudflare, Fastly, etc.), configure the header there so it is added to all responses without touching individual platform settings.
  5. After deploying, verify the header is present by opening Chrome DevTools → Network tab → click any page request → look under Response Headers for 'Permissions-Policy'. Alternatively, use securityheaders.com to scan your domain.
  6. Review and update the policy whenever you add a new third-party embed that legitimately needs a browser feature (e.g., a video-chat app that needs the camera) — add only that specific allowed origin.
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), fullscreen=(self)

Fix it on your platform

Pick your platform for the exact steps.

How to fix missing permissions policy on Shopify
  1. Shopify's shared infrastructure does not expose a web-server config file (no .htaccess or nginx.conf), so you cannot set arbitrary response headers directly.
  2. The best approach is to use a Shopify app that injects security headers: search the Shopify App Store for 'Security Headers' apps (e.g., 'EasyAuth Security Headers' or 'Locksmith' for edge-level header injection).
  3. Alternatively, if your store is behind Cloudflare, add the header there (see Cloudflare steps below) — this is the most reliable method for Shopify stores.
  4. For a theme-level partial workaround: in the Shopify Admin go to Online Store → Themes → Actions → Edit Code. Open layout/theme.liquid and add a <meta http-equiv='Permissions-Policy' content='camera=(), microphone=(), geolocation=()'> tag inside the <head> section. Note: meta http-equiv is NOT a true HTTP header and offers weaker protection, but it is the only native in-theme option available without server access.
  5. Verify by loading your storefront and checking Response Headers in browser DevTools Network tab.
Full Shopify guide →Official Shopify docs ↗
How to fix missing permissions policy on Shopify Plus
  1. Shopify Plus merchants have access to Cloudflare as part of their infrastructure — use Cloudflare Transform Rules to add the Permissions-Policy header (see generic Cloudflare steps: Transform Rules → Modify Response Headers → Add header name 'Permissions-Policy' with your policy value).
  2. Alternatively, use a Shopify app from the App Store that manages security response headers.
  3. In the Admin: Online Store → Themes → Actions → Edit Code → layout/theme.liquid — add the meta http-equiv fallback in <head> as a supplementary measure.
  4. Verify with Chrome DevTools → Network → Response Headers.
Full Shopify Plus guide →Official Shopify Plus docs ↗
How to fix missing permissions policy on WooCommerce
  1. WooCommerce runs on WordPress.org, typically on Apache or Nginx — you can set the header at the server level or via plugin.
  2. Easiest plugin method: Install the free 'Headers Security Advanced & HSTS WP' plugin or 'HTTP Headers' plugin from the WordPress plugin directory (Plugins → Add New → search 'Permissions Policy headers').
  3. In the chosen plugin's settings page, find the Permissions-Policy field and enter your policy value: camera=(), microphone=(), geolocation=(), payment=(), usb=(), fullscreen=(self). Save.
  4. Apache server-level alternative: Add to your .htaccess file (found in the WordPress root directory via FTP/File Manager): `Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"` — requires mod_headers to be enabled.
  5. Nginx server-level alternative: Add to your server {} block in your nginx.conf or site config: `add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;` then reload Nginx.
  6. Verify with Chrome DevTools → Network tab → Response Headers, or use securityheaders.com.
Full WooCommerce guide →Official WooCommerce docs ↗
How to fix missing permissions policy on WordPress.org
  1. Install a security headers plugin: go to Plugins → Add New, search for 'HTTP Headers' or 'Headers Security Advanced & HSTS WP', install and activate.
  2. Open the plugin's settings panel and locate the Permissions-Policy (or Feature-Policy) section. Enter the policy value: camera=(), microphone=(), geolocation=(), payment=(), usb=(), fullscreen=(self).
  3. Save settings. The plugin will add the header to all WordPress responses via PHP's header() function.
  4. Alternatively, add directly to your theme's functions.php (Appearance → Theme File Editor → functions.php): add_action('send_headers', function(){ header("Permissions-Policy: camera=(), microphone=(), geolocation=()"); });
  5. Verify with browser DevTools or securityheaders.com.
Full WordPress.org guide →Official WordPress.org docs ↗
How to fix missing permissions policy on BigCommerce
  1. BigCommerce is a hosted SaaS platform — direct server-level header configuration is not available to merchants.
  2. The recommended approach is to front your store with Cloudflare (free tier is sufficient) and add the Permissions-Policy header via Cloudflare Transform Rules: Log in to Cloudflare → select your domain → Rules → Transform Rules → Modify Response Headers → Create Rule → Add header: Name = 'Permissions-Policy', Value = 'camera=(), microphone=(), geolocation=(), payment=(), usb=()'.
  3. As a partial fallback, go to BigCommerce Admin → Storefront → Script Manager → Create Script. Set Location = Head, add a <meta http-equiv='Permissions-Policy' content='camera=(), microphone=(), geolocation=()'> tag. This is not a true HTTP header but provides some browser-level hint.
  4. Verify via Chrome DevTools → Network → Response Headers after the Cloudflare rule is live.
Full BigCommerce guide →Official BigCommerce docs ↗
How to fix missing permissions policy on Wix
  1. Wix is a fully hosted platform and does not allow direct HTTP response header customisation through the admin panel.
  2. The only viable method is to proxy your Wix site through Cloudflare and inject the header at the Cloudflare edge: add your Wix domain to Cloudflare → Go to Rules → Transform Rules → Modify Response Headers → Add 'Permissions-Policy' header with your policy value.
  3. There is no Wix-native way to set true HTTP security headers without a proxy layer.
  4. Verify the header is present using Chrome DevTools → Network → Response Headers once Cloudflare is active.
Full Wix guide →Official Wix docs ↗
How to fix missing permissions policy on Wix Studio
  1. Like standard Wix, Wix Studio does not provide access to server-level HTTP response headers.
  2. Proxy your site through Cloudflare and use Transform Rules → Modify Response Headers to add: Name = 'Permissions-Policy', Value = 'camera=(), microphone=(), geolocation=(), payment=(), usb=()'.
  3. Verify with Chrome DevTools → Network tab → Response Headers.
Full Wix Studio guide →Official Wix Studio docs ↗
How to fix missing permissions policy on Squarespace
  1. Squarespace does not allow direct HTTP header configuration from the admin panel.
  2. Add your domain to Cloudflare (change your domain's nameservers at your registrar to Cloudflare's), then in Cloudflare: Rules → Transform Rules → Modify Response Headers → Create a rule to add 'Permissions-Policy' header.
  3. As a limited fallback, go to Squarespace Admin → Settings → Advanced → Code Injection → Header section and add: <meta http-equiv='Permissions-Policy' content='camera=(), microphone=(), geolocation=()'> — this is not a true HTTP header but is the only native option.
  4. Verify using Chrome DevTools → Network → Response Headers.
Full Squarespace guide →Official Squarespace docs ↗
How to fix missing permissions policy on Webflow
  1. Webflow does not expose HTTP header configuration natively in its hosting dashboard for standard plans.
  2. For Webflow Enterprise, contact support or use the site settings to configure custom headers if available in your plan.
  3. For all other plans, use Cloudflare as a proxy: add your Webflow site's domain to Cloudflare → Rules → Transform Rules → Modify Response Headers → Add header 'Permissions-Policy' with value 'camera=(), microphone=(), geolocation=(), payment=(), usb=()'.
  4. Alternatively, in Webflow Designer → Project Settings → Custom Code → Head Code, add: <meta http-equiv='Permissions-Policy' content='camera=(), microphone=(), geolocation=()'> as a partial browser hint.
  5. Verify with Chrome DevTools → Network → Response Headers.
Full Webflow guide →Official Webflow docs ↗
How to fix missing permissions policy on Adobe Commerce (Magento)
  1. For Apache-based deployments: edit your .htaccess file in the Magento root directory or your virtual host config and add: `Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=()"` — ensure mod_headers is enabled in Apache.
  2. For Nginx-based deployments: add to your nginx.conf server {} block: `add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=()" always;` then run `nginx -t` to validate and `systemctl reload nginx`.
  3. Alternatively, add the header programmatically via a custom Magento module: create a plugin on Magento\Framework\App\Response\Http that calls $response->setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()', true); in an afterSendResponse method.
  4. If using Adobe Commerce Cloud, add the header in your .magento.app.yaml or via Fastly (the bundled CDN): Stores → Configuration → Advanced → System → Full Page Cache → Fastly Configuration → Custom VCL Snippets, or use Fastly's response header rules.
  5. Flush the full-page cache after any change: System → Cache Management → Flush Magento Cache.
  6. Verify with Chrome DevTools → Network → Response Headers.
Full Adobe Commerce (Magento) guide →Official Adobe Commerce (Magento) docs ↗
How to fix missing permissions policy on Magento Open Source
  1. For Apache: add to .htaccess in Magento root: `Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"` (requires mod_headers).
  2. For Nginx: add to your server {} block: `add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;` and reload Nginx.
  3. Alternatively, build a small custom module that adds the header via an event observer or plugin on the HTTP response object.
  4. Clear caches: php bin/magento cache:flush
  5. Verify via Chrome DevTools Network tab or securityheaders.com.
Full Magento Open Source guide →Official Magento Open Source docs ↗
How to fix missing permissions policy on PrestaShop
  1. For Apache: edit .htaccess in PrestaShop root (Back Office → Advanced Parameters → Performance has a 'Generate htaccess' option — edit the generated file or add via FTP): add `Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"`
  2. For Nginx: add `add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;` to your server block and reload Nginx.
  3. Alternatively, create a custom PrestaShop module that hooks into actionDispatcher or uses PHP's header() call early in the bootstrap to set the header.
  4. Verify with Chrome DevTools or securityheaders.com.
Full PrestaShop guide →Official PrestaShop docs ↗
How to fix missing permissions policy on Next.js
  1. Open next.config.js in your project root.
  2. Add or extend the `headers()` async function to return the Permissions-Policy header for all routes: async headers() { return [{ source: '/(.*)', headers: [{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=(), payment=(), usb=()' }] }] }
  3. Save the file and restart your Next.js server (npm run build && npm start for production).
  4. Verify with Chrome DevTools → Network → Response Headers.
Full Next.js guide →Official Next.js docs ↗

Does your site have this issue?

Run a free SEOLZ audit to find missing permissions policy — and every other issue — across your whole site in minutes.

Scan my site free

Frequently asked questions

What is Missing permissions policy?

The Permissions-Policy header (formerly called Feature-Policy) is a security instruction your web server sends to every visitor's browser. It acts like a bouncer's list for powerful browser features — it tells the browser exactly which features your site is allowed to use, and blocks everything else. For example, you can declare that your store never needs access to a visitor's camera, microphone, or precise location, so even if malicious code was somehow injected into your page, the browser would refuse to grant that access. Without this header, browsers apply loose default rules, leaving those features potentially available to any script running on your pages.

Why does missing permissions policy matter?

Missing this header is flagged under OWASP A05:2021 (Security Misconfiguration) — one of the most common vulnerability categories found on real sites. If third-party scripts (ad networks, chat widgets, analytics) or injected malicious code try to silently access a shopper's camera, microphone, or location, nothing at the browser level stops them without this header. For an ecommerce store, that is a direct privacy and trust risk: a single reported incident of covert data capture can destroy customer confidence and trigger GDPR/CCPA regulatory scrutiny. Adding this header is a low-effort, high-signal security hardening step that security auditors and increasingly Google's ranking systems look for as a mark of a trustworthy site.

How do I fix missing permissions policy?

Add a Permissions-Policy HTTP response header to explicitly restrict which browser features (camera, microphone, geolocation, etc.) your store's pages are allowed to use.

Authoritative references

Related Security (OWASP) issues