Website

Control powerful browser features

Declare which browser APIs your site is allowed to use, and shut down everything else at the browser layer.

Get Started Documentation

Permissions Policy

  • Lock down powerful browser features to only the origins that need them
  • Restrict camera, microphone, geolocation, USB and other sensitive APIs
  • Stop cross-origin iframes from silently invoking the WebAuthn API
  • Reduce the attack surface available to injected or compromised code
  • Receive violation reports via the Reporting API with zero JavaScript

Protect authenticated sessions

Setting publickey-credentials-create=(self) and publickey-credentials-get=(self) ensures the WebAuthn API can only be invoked by your own origin. Third-party iframes and injected code can't silently enrol an attacker-controlled passkey or authorise an action the user didn't intend.

Combined with a strict Content Security Policy, this closes the gap between strong authentication and a compromised session.

Passkeys Protection

Easy Setup

Permissions Policy is enabled with a single HTTP response header. You can start with a permissive configuration and tighten it as you see which features your application actually uses.

Every violation is delivered as a Reporting API report and surfaced in your Report URI dashboard in real time — alongside CSP, COEP, COOP, NEL and every other browser-level security event — so you have a single, consistent view of your browser security posture.

Documentation

Related Features

Alongside Permissions Policy, consider these browser security mechanisms for a defence-in-depth posture.

Content Security Policy

Block injected scripts before they can abuse an authenticated session.

Content Security Policy
COOP Reports

Process-isolate your origin and defend against Spectre-class attacks.

COOP Reports
COEP Reports

Require all assets to be loaded with CORS or CORP enabled.

COEP Reports