Scroll Top

What the Heck is a Security Header Permissions Policy?

What the Heck is a Security Header Permissions Policy?
Agile-software-development-with-Scrum-blog-cover-image
2
By Jeffrey Jones Security Blog September 22, 2023

A Web Developer Friend of Mine was asking me about a Security Assessment on his Web Site. The only suggestion was that he had a Permissions Policy to his Security Headers. The Developer said fine, I will take care of it. Then, he called me and said, “Jeff, What the Heck is a Permission Policy.”

So, I explained the Permissions Policy to him this way. I hope it works for you.

Imagine you’ve built a house (your website). In this house, you have a lot of rooms, and each room has different gadgets and tools (browser features and APIs). Some of these tools are powerful and potentially dangerous if used improperly. Plus, sometimes you allow guests (third-party content) into your house, and you don’t necessarily trust all of them with every tool.

Permissions Policy is like setting up rules about which guests (iframes or embedded content) can use which tools and in which rooms.

Here’s a breakdown:

  1. Purpose of Permissions Policy:
    • Control: It gives you the ability to selectively enable or disable browser features and APIs for your site or for embedded content.
    • Security & Privacy: By restricting certain features, especially for third-party content, you can enhance the security and privacy of your site.
  2. How It Works:
    • HTTP Header: You can define your rules in the HTTP response headers. For example: Permissions-Policy: geolocation=(). This would disable geolocation for all embedded content on your page.
    • Iframe Attribute: If you’re embedding content using an iframe, you can use the allow attribute to specify what that content can and cannot do. For example: <iframe src="..." allow="camera; microphone"> would only allow access to the camera and microphone for that specific iframe.
  3. Some Features You Can Control:
    • Geolocation
    • Camera & Microphone
    • Payment requests
    • Fullscreen access … and many others.
  4. Benefits:
    • Enhanced Security: Restrict potentially harmful features from being used by malicious or misbehaving third-party content.
    • Better Performance: By disabling unnecessary features, you can sometimes achieve better page performance.
    • User Trust: By demonstrating that you take security and privacy seriously, you can earn more trust from your users.

In essence, think of Permissions Policy as a way to set ground rules for your website’s features. Just like you’d lay down house rules for guests, Permissions Policy helps ensure that everything runs smoothly and securely on your site. I hope this helps.

2
Jeffrey Jones / About Author
More posts by Jeffrey Jones

Related Posts

Understanding Ransomware: How User Credentials and File Encryption Play a Role

Introduction: Ransomware has become a prevalent and damaging threat in the world of cybersecurity. This malicious software aims to encrypt…

1
1
27 Jun 2023
cyberstalking
“When NIST 800-63B Walked into a Bar: A Lighter Look at Password Standards”

In a universe (not so far away), where passwords like “123456” and “password” reigned supreme, our hero, NIST 800-63B, stepped…

2
2
22 Aug 2023
mount washington
New Hampshire Hacker Pleads Guilty to Passport and Wire Fraud

CONCORD – A Derry man pleaded guilty in federal court in Concord to passport fraud and wire fraud in connection…

0
0
30 Nov 2023
The Mitre ATT&CK Framework and Kill Chain Explained

What is the Mitre ATT&CK Framework? The Mitre ATT&CK Framework describes the techniques, tactics and procedures that hackers use to…

1
1
10 Oct 2023
Ransomware
Feds Release Akira Ransomware Defense Info

Washington, DC  –  Today, CISA, the Federal Bureau of Investigation (FBI), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National…

0
0 0
18 Apr 2024
WPA3 vs. WPA2 why make the switch

In the ever-evolving landscape of wireless networking, security is a paramount concern. With the increasing prevalence of smart devices, IoT…

1
1
30 Oct 2023
May 2023 News
May Newsletter

May 2023 Newsletter Tim Cook Said Recently “In The World of Cybersecurity The Last Thing You Want Is To Have…

0
0
20 Apr 2023
Ransomware
CNN Reports Finnish Psych Center Hacked and Patients Blackmailed

Helsinki, Finland (CNN) The confidential records of thousands of psychotherapy patients in Finland have been hacked and some are now…

0
0
27 Oct 2020
Ransomeware
FBI Offers Decryption Tool for Blackcat Ransomware

The Justice Department announced today a disruption campaign against the Blackcat ransomware group — also known as ALPHV or Noberus…

0
0
20 Dec 2023
Topgallant Selected as a New York State Certified Service Disabled Veteran Owned Business

Topgallant Partners was recently Certified by New York as a New York State Certified Service-Disabled Veteran Owned Business. Topgallant Received the news in April. The news was received in a letter written by the Executive Director for Division of Service-Disabled Veterans’ Business Development, Kenneth E. Williams.

1
1
20 Jul 2022
Vulnerability Scanning + Penetration Testing = Best Practice

To help businesses uncover and fix the vulnerabilities and misconfigurations affecting their systems, there is an abundance of solutions available….

0
0
18 Jul 2022
Fresenius Says 500K Medical Records Stolen

“The incident may have affected approximately 500,000…

0
0
07 Dec 2023
ESXi
CISA Provides Recovery Tool for Recent ESXi Arg Ransomware

The Cyber Security and Infrastructure Security Agency (CISA) has come to the rescue for those affected by a Recent Ransomware…

0
0
08 Feb 2023
Darknet
CISA Advises Diligence on Russian Invasion Anniversary

CISA assesses that the United States and European nations may experience disruptive and defacement attacks against websites in an attempt…

0
0
24 Feb 2023
encryption
Salted Hashes Explained in 60 Seconds

Have you ever wondered what a Salted Hash was? Well, here is the Cliff Notes’ Version Hashing is a function…

0
0
04 Dec 2020
Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required