Permissions Policy Header Not Set
- Risk:
Low
- Type:
- Passive
- CWE:
- CWE-693
- Summary
Permissions Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers can be used by the web resources. Permissions Policy provides a set of standard HTTP headers that allow website owners to limit which features of browsers can be used by the page such as camera, microphone, location, full screen etc.
- Solution
Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header.
- References
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
https://developer.chrome.com/blog/feature-policy/
https://scotthelme.co.uk/a-new-security-header-feature-policy/
Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks
Hackers Exploit Milesight Routers to Send Phishing SMS to European Users
BatShadow Group Uses New Go-Based 'Vampire Bot' Malware to Hunt Job Seekers
LockBit, Qilin, and DragonForce Join Forces to Dominate the Ransomware Ecosystem
Severe Framelink Figma MCP Vulnerability Lets Hackers Execute Code Remotely
Microsoft: Hackers target universities in “payroll pirate” attacks
Co-op says it lost $107 million after Scattered Spider attack
ChatGPT Pulse is coming to the web, but no word on free or Plus roll out
Electronics giant Avnet confirms breach, says stolen data unreadable
Salesforce refuses to pay ransom over widespread data theft attacks
CVE-2021-43226 Microsoft Windows Privilege Escalation Vulnerability
CVE-2011-3402 Microsoft Windows Remote Code Execution Vulnerability
CVE-2010-3765 Mozilla Multiple Products Remote Code Execution Vulnerability
CVE-2013-3918 Microsoft Windows Out-of-Bounds Write Vulnerability
CVE-2010-3962 Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
CVE-2021-22555 Linux Kernel Heap Out-of-Bounds Write Vulnerability
CVE-2023-50224 TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
CVE-2024-53104 Linux Kernel Out-of-Bounds Write Vulnerability
HighSQL Injection
InformationalLoosely Scoped Cookie
InformationalGraphQL Server Implementation Identified
InformationalUser Agent Fuzzer
Medium.env Information Leak
Free online web security scanner