tosbourn

Setting up Permissions Policy with Rails

How to set up Permissions Policy HTTP header in your Rails app

Written by Elaine Osbourn

  • Nov 2021
  • 389 words
  • Ruby

When I ran one of my apps through the Security Headers checker website I discovered that I was missing my Permissions Policy HTTP header. This header allows us to enable or disable browser features. If we don’t allow the use of the camera on our website we should disallow it.

The Permissions Policy HTTP header replaces the Feature Policy HTTP header. This caught me out when I was trying to implement this header on one of my websites. Rails has a permission_policy file in config > initializers > permissions_policy.rb. It is documented on the Ruby on Rails API site. I set up my Permissions Policy as per the documentation but when I deployed my code, it applied it as a Feature Policy header which is the old way of doing it, which was flagged up when I ran my site through the Security Headers checker again.

So to combat this and ensure it was being set as a Permissions Policy header and not a Feature Policy I set the header in my application controller:

app/controllers/application_controller.rb

class ApplicationController < ActionController::Base
  before_action :permissions_policy_header

  other code...

  protected

  def permissions_policy_header
    response.headers['Permissions-Policy'] = 'camera=(), gyroscope=(), microphone=(), usb=(), payment=(), geolocation=()'
  end
end

The app that this Permissions Policy on is a very simple app which doesn’t use any browser features so we have disallowed all of the features defined here.

If you are enabling say geolocation you may want to have something like geolocation=(self 'https://examplemap.com/').

Scott Helme has a great article on Permissions Policy.

How to view your Permissions Policy header

If you want to see your Permissions Policy header in your app open up your web inspector. I use Google Chrome so I will navigate to the Network tab. I then click on Doc, refresh the page and click the name of the doc (in my case tosbourn.com) and then I can see the headers on the site. My Permissions Policy will be under the header permissions-policy.

Screenshot of web inspector showing headers for tosbourn.com website

Recent posts View all

Ruby

Forcing a Rails database column to be not null

How you can force a table column to always have something in it with Rails

Apr 2024

Writing Marketing

We've deleted an article's worth of unhelpful words

We've improved several pages across our site by removing words that add no value, and often detract from the article.

Apr 2024