Setting up Permissions Policy with Rails

How to set up Permissions Policy HTTP header in your Rails app

When I ran one of my apps through the Security Headers checker website I discovered that I was missing my Permissions Policy HTTP header. This header allows us to enable or disable browser features. If we don’t allow the use of the camera on our website we should disallow it.

The Permissions Policy HTTP header replaces the Feature Policy HTTP header. This caught me out when I was trying to implement this header on one of my websites. Rails has a permission_policy file in config > initializers > permissions_policy.rb. It is documented on the Ruby on Rails API site. I set up my Permissions Policy as per the documentation but when I deployed my code, it applied it as a Feature Policy header which is the old way of doing it, which was flagged up when I ran my site through the Security Headers checker again.

So to combat this and ensure it was being set as a Permissions Policy header and not a Feature Policy I set the header in my application controller:


class ApplicationController < ActionController::Base
  before_action :permissions_policy_header

  other code...


  def permissions_policy_header
    response.headers['Permissions-Policy'] = 'camera=(), gyroscope=(), microphone=(), usb=(), payment=(), geolocation=()'

The app that this Permissions Policy on is a very simple app which doesn’t use any browser features so we have disallowed all of the features defined here.

If you are enabling say geolocation you may want to have something like geolocation=(self '').

Scott Helme has a great article on Permissions Policy.

How to view your Permissions Policy header

If you want to see your Permissions Policy header in your app open up your web inspector. I use Google Chrome so I will navigate to the Network tab. I then click on Doc, refresh the page and click the name of the doc (in my case and then I can see the headers on the site. My Permissions Policy will be under the header permissions-policy.

Screenshot of web inspector showing headers for website

Recent posts View all


Iterate over indexed params in Rails

When your API isn't Rails-shaped, sometimes you need to handle input differently

Web Dev Jekyll

Running Jekyll from inside VS Code

How to set up your VS Code to run Jekyll without needing extra extensions