Free Tool
Permissions-Policy Checker
Review whether your site limits unnecessary browser feature access for itself and embedded third-party content.
Sign in with Google or GitHub to run the scan. Start with a free scan.
What this tool checks
This page uses ZeriFlow's deterministic website security engine and focuses the guidance on the configuration area above. For the full report, run a complete free security scan.
Key Checks
Feature Controls
Checks whether high-risk browser APIs are restricted by policy.
Third-Party Embeds
Reviews how embedded content may inherit or request browser capabilities.
Privacy Baseline
Highlights policies that reduce camera, microphone, and location exposure.
Least Privilege
Encourages allowing only features your application actually needs.
Recommended Baseline
Camera
Disable camera access unless your product explicitly needs it.
Microphone
Disable microphone access for ordinary marketing and content pages.
Geolocation
Allow geolocation only on pages where location is core to the workflow.
Embeds
Review third-party iframes and restrict capabilities with explicit allowlists.
FAQ
What is Permissions-Policy?
Permissions-Policy is an HTTP header that limits which browser features a page and its embedded frames can use.
Which features should I restrict?
Most websites can restrict camera, microphone, geolocation, payment, USB, and fullscreen unless those features are required.
Does Permissions-Policy replace user permission prompts?
No. It works before prompts by controlling whether a feature is available at all. Browser permission prompts still apply when a feature is allowed.
Can Permissions-Policy protect embedded content?
Yes. It can limit what iframes and third-party embeds are allowed to access, depending on your configured directives.
Need the full security picture?
ZeriFlow combines deterministic website checks across headers, TLS, DNS, cookies, and email security with monitoring, reporting, and AI-powered developer workflows where implemented.