Security header tool · modern browser feature control

Permissions-Policy Header Builder & Feature Access Planner

Generate a copy-ready Permissions-Policy header, matching iframe allow attributes, and server snippets for the browser features your app actually needs — no more, no less.

Buy Me a Coffee Jump to builder

Quick presets

Start with a conservative baseline, then loosen only the features your product really uses.

Primary origin

Trusted partner / embed origin

Project notes

Reminder: Permissions-Policy support varies by feature and browser. This tool helps you craft a sane policy, but you should still test the exact browsers your users depend on.

Feature matrix

Each feature can allow none, self, partner, both, or all. The generated header uses modern policy syntax like camera=(self "https://partner").

Generated output

Copy the policy, the iframe attribute, or a framework-specific snippet.

0features enabled

0features denied

0header chars

Permissions-Policy header

iframe allow attribute

Implementation notes

Start by denying everything sensitive by default, then selectively re-enable only what is needed.

Why this matters

Permissions Policy reduces ambient browser power. It helps you lock down embedded experiences and document intended capability boundaries.

Limit risky features like camera, microphone, geolocation, USB, and screen wake lock.
Control what embedded third-party content can access.
Make security headers consistent across Node, Nginx, Apache, or edge deployments.
Turn browser capability planning into a quick checklist instead of tribal knowledge.