f

Author: carlospolop

src/network-services-pentesting/pentesting-web/special-http-headers.md

@@ -215,6 +215,53 @@ Lastly, HSTS is a security feature that forces browsers to communicate with serv
 Strict-Transport-Security: max-age=3153600
 ```
 
+### **Permissions-Policy (formerly Feature-Policy)**
+
+Permissions-Policy allows web developers to selectively enable, disable, or modify the behaviour of certain browser features and APIs within a document. It is the successor to the now-deprecated `Feature-Policy` header. This header helps reduce the attack surface by restricting access to powerful features that could be abused.
+
+```
+Permissions-Policy: geolocation=(), camera=(), microphone=()
+```
+
+**Common directives:**
+
+| Directive | Description |
+| --- | --- |
+| `accelerometer` | Controls access to the Accelerometer sensor |
+| `camera` | Controls access to video input devices (webcam) |
+| `geolocation` | Controls access to the Geolocation API |
+| `gyroscope` | Controls access to the Gyroscope sensor |
+| `magnetometer` | Controls access to the Magnetometer sensor |
+| `microphone` | Controls access to audio input devices |
+| `payment` | Controls access to the Payment Request API |
+| `usb` | Controls access to the WebUSB API |
+| `fullscreen` | Controls access to the Fullscreen API |
+| `autoplay` | Controls whether media can autoplay |
+| `clipboard-read` | Controls access to read clipboard content |
+| `clipboard-write` | Controls access to write to the clipboard |
+
+**Syntax values:**
+
+- `()` - Disables the feature entirely
+- `(self)` - Allows the feature only for the same origin
+- `*` - Allows the feature for all origins
+- `(self "https://example.com")` - Allows for same origin and specified domain
+
+**Example configurations:**
+
+```
+# Restrictive policy - disable most features
+Permissions-Policy: geolocation=(), camera=(), microphone=(), payment=(), usb=()
+
+# Allow camera only from same origin
+Permissions-Policy: camera=(self)
+
+# Allow geolocation for same origin and a trusted partner
+Permissions-Policy: geolocation=(self "https://maps.example.com")
+```
+
+From a security perspective, missing or overly permissive `Permissions-Policy` headers may allow attackers (e.g., through XSS or embedded iframes) to abuse powerful browser features. Always restrict features to the minimum necessary for your application.
+
 ## Header Name Casing Bypass
 
 HTTP/1.1 defines header field‐names as **case-insensitive** (RFC 9110 §5.1). Nevertheless, it is very common to find custom middleware, security filters, or business logic that compare the *literal* header name received without normalising the casing first (e.g. `header.equals("CamelExecCommandExecutable")`).  If those checks are performed **case-sensitively**, an attacker may bypass them simply by sending the same header with a different capitalisation.