Wordpress 5.6.1 - Permissions-Policy Header implementation

Question

1° I need to implement the permissions-policy header in the .htacces file

2° I spent a whole day looking for the header on the internet, but yet, i found only explanations that i did not understand a 100% how to implement that.

3° The better explanation that i found about the header is in this article Permissions-Policy. i inserted this line of code in the .htacces file to make the magic happens, BUT i didn't get the Green Flag on the securityheaders

Permissions-Policy: fullscreen=(self "https://example.com" "https://another.example.com"), geolocation=*, camera=()

4° Please, i'll be extremely grateful for a help!

5° The image shows the result of the security headers scan

Shared Hosting. Is there a direct connection between the use of a hosting and the use of Security Headers @PeterBreen ? — Paulo do Porto, Feb 11 '21 at 13:24
I would be in touch with your hosting company. This is typically not a problem with WordPress sites. — Peter Breen, Feb 11 '21 at 14:27

score 21 · Accepted Answer · edited Feb 16 '21 at 18:54

Since no one could directly give me a help, i found by myself the answer that works like a charm.

What is the Permissions Policy header

The Permission Policy header is a security header that controls which browser features can be used. Besides implementing these rules for your own content it can also prevent external iframes from using these browser features, making it a powerful header to secure your site.

This allows you to have fine-grained control over which browser functions your site can use. There are a lot of directives that can be controlled with the Permission Policy header. For an extensive overview of all directives see New Permissions-Policy Directives and Features

And the code inside the .htaccess file is:

<IfModule mod_headers.c>

Header always set Permissions-Policy "geolocation=(); midi=();notifications=();push=();sync-xhr=();accelerometer=(); gyroscope=(); magnetometer=(); payment=(); camera=(); microphone=();usb=(); xr=();speaker=(self);vibrate=();fullscreen=(self);"  

</IfModule>

This can help you to get your Permission-Policy Flag on Secury Header.

I've voted this up, since you went ahead a wrote out a 'default' policy, which is hard to find. But people should be cautious about blindly copying and pasting a policy that might not always be appropriate for their site, without a bit more examination. — James John McGuire 'Jahmic', Apr 18 '21 at 14:22
Why this type or word used here? payment=(); camera=(); microphone=();usb=(); — Md Nurullah, Nov 09 '21 at 13:40

score 7 · Answer 2 · answered Apr 28 '21 at 03:15

7

Add this in the .htaccess file. It works like a charm.

<IfModule mod_headers.c>
Header always set Permissions-Policy "geolocation=(), midi=(),sync-xhr=(),accelerometer=(), gyroscope=(), magnetometer=(), camera=(), fullscreen=(self)"
</IfModule>

answered Apr 28 '21 at 03:15

Ahsan Najam

89
1
9

1

This is the new format. Accepted answer is outdated. – Akshay K Nair Aug 01 '22 at 08:45

Wordpress 5.6.1 - Permissions-Policy Header implementation

2 Answers2

Linked