How to fix missing permissions policy on Shopify

Steps for Shopify

1. Shopify's shared infrastructure does not expose a web-server config file (no .htaccess or nginx.conf), so you cannot set arbitrary response headers directly.
2. The best approach is to use a Shopify app that injects security headers: search the Shopify App Store for 'Security Headers' apps (e.g., 'EasyAuth Security Headers' or 'Locksmith' for edge-level header injection).
3. Alternatively, if your store is behind Cloudflare, add the header there (see Cloudflare steps below) — this is the most reliable method for Shopify stores.
4. For a theme-level partial workaround: in the Shopify Admin go to Online Store → Themes → Actions → Edit Code. Open layout/theme.liquid and add a <meta http-equiv='Permissions-Policy' content='camera=(), microphone=(), geolocation=()'> tag inside the <head> section. Note: meta http-equiv is NOT a true HTTP header and offers weaker protection, but it is the only native in-theme option available without server access.
5. Verify by loading your storefront and checking Response Headers in browser DevTools Network tab.

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), fullscreen=(self)

What is missing permissions policy?

The Permissions-Policy header (formerly called Feature-Policy) is a security instruction your web server sends to every visitor's browser. It acts like a bouncer's list for powerful browser features — it tells the browser exactly which features your site is allowed to use, and blocks everything else. For example, you can declare that your store never needs access to a visitor's camera, microphone, or precise location, so even if malicious code was somehow injected into your page, the browser would refuse to grant that access. Without this header, browsers apply loose default rules, leaving those features potentially available to any script running on your pages.

Missing this header is flagged under OWASP A05:2021 (Security Misconfiguration) — one of the most common vulnerability categories found on real sites. If third-party scripts (ad networks, chat widgets, analytics) or injected malicious code try to silently access a shopper's camera, microphone, or location, nothing at the browser level stops them without this header. For an ecommerce store, that is a direct privacy and trust risk: a single reported incident of covert data capture can destroy customer confidence and trigger GDPR/CCPA regulatory scrutiny. Adding this header is a low-effort, high-signal security hardening step that security auditors and increasingly Google's ranking systems look for as a mark of a trustworthy site.

See the complete Missing permissions policy guide for every platform and the full background.