What does empty `()` mean?

Empty parentheses mean the feature is denied for all origins, including yours. `(self)` allows only your own origin. `(*)` allows any origin (rarely what you want).

Is this the same as Feature-Policy?

Permissions-Policy is the current name; Feature-Policy is the old one. The syntax is slightly different. Browsers accept either, but send Permissions-Policy for future-proofing.

Low severity · Next.js

Missing Permissions-Policy on Next.js

Your site is missing a `Permissions-Policy` header. This header limits which browser features (camera, microphone, geolocation, USB, payment, etc.) your pages and any embedded iframes can access. Without it, a compromised third-party script could prompt the user for their camera or GPS. Fix it by explicitly denying features you do not use.

The fix for Next.js

Next.js

Deny the features you do not use. Allow on `self` for ones you do.

{
  key: 'Permissions-Policy',
  value: 'camera=(), microphone=(), geolocation=(), usb=(), payment=(self)'
}

Why it matters

Most apps never use the camera, mic, or geolocation. But every page can request them — and every embedded third-party script can try. A locked-down Permissions-Policy means a malicious analytics or ad tag cannot even ask.

Confirm the fix worked

Scan your Next.js site to confirm this finding is gone.

AI prompt

Apply across your codebase

Paste this into Cursor, Lovable, Bolt, v0, or Claude Code.

Add a Permissions-Policy header to my app that denies camera, microphone, geolocation, USB, accelerometer, gyroscope, magnetometer, payment, and autoplay by default. If my app legitimately uses one of these, allow only on `self`. Tell me which ones I need to keep by scanning my code for navigator.mediaDevices, navigator.geolocation, and Payment Request API usage.

FAQ

Frequently asked questions

What does empty `()` mean?: Empty parentheses mean the feature is denied for all origins, including yours. `(self)` allows only your own origin. `(*)` allows any origin (rarely what you want).
Is this the same as Feature-Policy?: Permissions-Policy is the current name; Feature-Policy is the old one. The syntax is slightly different. Browsers accept either, but send Permissions-Policy for future-proofing.

Related fix guides

Fix these too

Missing CSP header

A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.

Missing X-Frame-Options

Without X-Frame-Options or CSP frame-ancestors, attackers can embed your site in an invisible iframe to trick users into clicking things. Here is the fix.

Concepts

Glossary

Security Headers

A set of HTTP response headers that harden your site against common web attacks. Every site should send all six.

Free tools

Spot-check this

Security headers checker

Check CSP, HSTS, X-Frame-Options, and more in seconds.