How do I fix missing permissions policy on Wix?

Wix is a fully hosted platform and does not allow direct HTTP response header customisation through the admin panel. The only viable method is to proxy your Wix site through Cloudflare and inject the header at the Cloudflare edge: add your Wix domain to Cloudflare → Go to Rules → Transform Rules → Modify Response Headers → Add 'Permissions-Policy' header with your policy value. There is no Wix-native way to set true HTTP security headers without a proxy layer. Verify the header is present using Chrome DevTools → Network → Response Headers once Cloudflare is active.

How to fix missing permissions policy on Wix

Add a Permissions-Policy HTTP response header to explicitly restrict which browser features (camera, microphone, geolocation, etc.) your store's pages are allowed to use.

Steps for Wix

Wix is a fully hosted platform and does not allow direct HTTP response header customisation through the admin panel.
The only viable method is to proxy your Wix site through Cloudflare and inject the header at the Cloudflare edge: add your Wix domain to Cloudflare → Go to Rules → Transform Rules → Modify Response Headers → Add 'Permissions-Policy' header with your policy value.
There is no Wix-native way to set true HTTP security headers without a proxy layer.
Verify the header is present using Chrome DevTools → Network → Response Headers once Cloudflare is active.

Official Wix documentation ↗

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), fullscreen=(self)

What is missing permissions policy?

The Permissions-Policy header (formerly called Feature-Policy) is a security instruction your web server sends to every visitor's browser. It acts like a bouncer's list for powerful browser features — it tells the browser exactly which features your site is allowed to use, and blocks everything else. For example, you can declare that your store never needs access to a visitor's camera, microphone, or precise location, so even if malicious code was somehow injected into your page, the browser would refuse to grant that access. Without this header, browsers apply loose default rules, leaving those features potentially available to any script running on your pages.

Missing this header is flagged under OWASP A05:2021 (Security Misconfiguration) — one of the most common vulnerability categories found on real sites. If third-party scripts (ad networks, chat widgets, analytics) or injected malicious code try to silently access a shopper's camera, microphone, or location, nothing at the browser level stops them without this header. For an ecommerce store, that is a direct privacy and trust risk: a single reported incident of covert data capture can destroy customer confidence and trigger GDPR/CCPA regulatory scrutiny. Adding this header is a low-effort, high-signal security hardening step that security auditors and increasingly Google's ranking systems look for as a mark of a trustworthy site.

See the complete Missing permissions policy guide for every platform and the full background.

Not sure if your Wix store has this?

Run a free SEOLZ audit — we’ll find missing permissions policy and every other issue across your whole site.

Scan my site free

How to fix missing permissions policy on Wix

Steps for Wix

What is missing permissions policy?

Not sure if your Wix store has this?

Fix missing permissions policy on another platform