Setting up Permissions Policy with Rails
How to set up Permissions Policy HTTP header in your Rails app
When I ran one of my apps through the Security Headers checker website I discovered that I was missing my Permissions Policy HTTP header. This header allows us to enable or disable browser features. If we don’t allow the use of the camera on our website we should disallow it.
The Permissions Policy HTTP header replaces the Feature Policy HTTP header. This caught me out when I was trying to implement this header on one of my websites. Rails has a
permission_policy file in
config > initializers > permissions_policy.rb. It is documented on the Ruby on Rails API site. I set up my Permissions Policy as per the documentation but when I deployed my code, it applied it as a Feature Policy header which is the old way of doing it, which was flagged up when I ran my site through the Security Headers checker again.
So to combat this and ensure it was being set as a Permissions Policy header and not a Feature Policy I set the header in my application controller:
app/controllers/application_controller.rb class ApplicationController < ActionController::Base before_action :permissions_policy_header other code... protected def permissions_policy_header response.headers['Permissions-Policy'] = 'camera=(), gyroscope=(), microphone=(), usb=(), payment=(), geolocation=()' end end
The app that this Permissions Policy on is a very simple app which doesn’t use any browser features so we have disallowed all of the features defined here.
If you are enabling say geolocation you may want to have something like
Scott Helme has a great article on Permissions Policy.
How to view your Permissions Policy header
If you want to see your Permissions Policy header in your app open up your web inspector. I use Google Chrome so I will navigate to the
Network tab. I then click on
Doc, refresh the page and click the name of the doc (in my case
tosbourn.com) and then I can see the headers on the site. My Permissions Policy will be under the header