Setting up Permissions Policy with Rails

How to set up Permissions Policy HTTP header in your Rails app

When I ran one of my apps through the Security Headers checker website I discovered that I was missing my Permissions Policy HTTP header. This header allows us to enable or disable browser features. If we don’t allow the use of the camera on our website we should disallow it.

The Permissions Policy HTTP header replaces the Feature Policy HTTP header. This caught me out when I was trying to implement this header on one of my websites. Rails has a permission_policy file in config > initializers > permissions_policy.rb. It is documented on the Ruby on Rails API site. I set up my Permissions Policy as per the documentation but when I deployed my code, it applied it as a Feature Policy header which is the old way of doing it, which was flagged up when I ran my site through the Security Headers checker again.

So to combat this and ensure it was being set as a Permissions Policy header and not a Feature Policy I set the header in my application controller:


class ApplicationController < ActionController::Base
  before_action :permissions_policy_header

  other code...


  def permissions_policy_header
    response.headers['Permissions-Policy'] = 'camera=(), gyroscope=(), microphone=(), usb=(), payment=(), geolocation=()'

The app that this Permissions Policy on is a very simple app which doesn’t use any browser features so we have disallowed all of the features defined here.

If you are enabling say geolocation you may want to have something like geolocation=(self '').

Scott Helme has a great article on Permissions Policy.

How to view your Permissions Policy header

If you want to see your Permissions Policy header in your app open up your web inspector. I use Google Chrome so I will navigate to the Network tab. I then click on Doc, refresh the page and click the name of the doc (in my case and then I can see the headers on the site. My Permissions Policy will be under the header permissions-policy.

Screenshot of web inspector showing headers for website

Recent posts View all

Web DevMarketing

Getting more out of Plausible

Some things we've done to up our Plausible analytics game

Web Dev

Creating draft posts in Jekyll

How to create and develop with draft posts in Jekyll