Permissions-Policy header missing restrictions on high-risk browser features

The Permissions-Policy header is a security instruction your web server sends to browsers, telling them which powerful device features your site is allowed to use — such as the camera, microphone, or GPS location. Your site has the header but does not explicitly block the highest-risk features. Without these restrictions, any third-party code loaded on your page (ads, analytics scripts, embedded widgets) could theoretically request access to a visitor's camera, microphone, or location without your knowledge. Restricting unused features is a recognised security best practice. Ask your developer or hosting provider to update the Permissions-Policy header to explicitly disable features you do not use. A typical rule looks like: Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(). This takes minutes to add.