Permissions Policy Header Not Set

• Risk:

• Low

• Type:
• Passive

• CWE:
• CWE-693

Summary

Permissions Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers can be used by the web resources. Permissions Policy provides a set of standard HTTP headers that allow website owners to limit which features of browsers can be used by the page such as camera, microphone, location, full screen etc.

Solution

Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header.

References

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy

https://developer.chrome.com/blog/feature-policy/

https://scotthelme.co.uk/a-new-security-header-feature-policy/

https://w3c.github.io/webappsec-feature-policy/

https://www.smashingmagazine.com/2018/12/feature-policy/

Top Security News

Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039)

Bitbucket services “hard down” due to major worldwide outage

SonicWall Urges Immediate Patch for Critical CVE-2025-23006 Flaw Amid Likely Exploitation

Hackers exploit 16 zero-days on first day of Pwn2Own Automotive 2025

Windows Server 2025 released—here are the new features

Ivanti Flaw CVE-2025-0282 Actively Exploited, Impacts Connect Secure and Policy Secure

U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Salt Typhoon

TikTok is back up in the US after Trump says he will extend deadline

Top Alert List

Content Security Policy (CSP) Header Not Set

CSP

MediumAbsence of Anti-CSRF Tokens

MediumMissing Anti-clickjacking Header

MediumContent Security Policy (CSP) Header Not Set

InformationalInformation Disclosure - Suspicious Comments

InformationalModern Web Application

LowCross-Domain JavaScript Source File Inclusion

InformationalRe-examine Cache-control Directives

LowCSP: X-Content-Security-Policy

Top CVE List

CVE-2024-50603 Aviatrix Controllers OS Command Injection Vulnerability

CVE-2024-47575 Fortinet FortiManager Missing Authentication Vulnerability

CVE-2024-49039 Microsoft Windows Task Scheduler Privilege Escalation Vulnerability

CVE-2020-11023 JQuery Cross-Site Scripting (XSS) Vulnerability

CVE-2025-21333 Microsoft Windows Hyper-V NT Kernel Integration VSP Heap-based Buffer Overflow Vulnerability

CVE-2024-55591 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability

CVE-2025-0282 Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability

CVE-2017-6736 Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability

CVE-2024-50623 Cleo Multiple Products Unrestricted File Upload Vulnerability

CVE-2017-3881 Cisco IOS and IOS XE Remote Code Execution Vulnerability

Common CWEs

CWE-143 Improper Neutralization of Record Delimiters

CWE-1069 Empty Exception Block

CWE-1092 Use of Same Invokable Control Element in Multiple Architectural Layers

CWE-343 Predictable Value Range from Previous Values

CWE-53 Path Equivalence: '\multiple\\internal\backslash'

CWE-1277 Firmware Not Updateable

CWE-183 Permissive List of Allowed Inputs

CWE-613 Insufficient Session Expiration

HighCWE-787 Out-of-bounds Write

CWE-246 J2EE Bad Practices: Direct Use of Sockets