The Permissions-Policy HTTP header replaces the existing Feature-Policy header for controlling delegation of permissions and powerful features. The header uses a structured syntax, and allows sites to more tightly restrict which origins can be granted access to features. This will be released in Really Simple SSL 4.1 before depracation.
What is the Permissions Policy header
The Permission Policy header is a security header that controls which browser features can be used. Besides implementing these rules for your own content it can also prevent external iframes from using these browser features, making it a powerful header to secure your site.
This allows you to have fine-grained control over which browser functions your site can use. There are a lot of directives that can be controlled with the Permission Policy header. For an extensive overview of all directives see this list by Mozilla.
Each directive can have one of these three values:
- * (this feature is allowed for your entire site, including external iframes)
- self (this feature is allowed for content coming from your own domain, blocking this feature for external iframes)
- none (this feature is not allowed on your site at all)
How to use the Permissions Policy header generator
You can find the Permissions Header policy settings in the Premium tab from your Really Simple SSL Dashboard (Settings->SSL->Premium). To enable the Permission Policy header, enable the ‘Permissions Policy‘ option. Once enabled, a new block containing a list of directives and their values will appear. By default, all directives will have the * value. You can change the value for each directive:
After pressing the ‘Save’ button near the bottom of the page, the Permissions Policy will be automatically updated in your .htaccess file.
Any questions or remarks? Contact us and let us know what you think!