AZ Tools

Permissions-Policy Header Builder

Network

The Permissions-Policy header is the modern replacement for Feature-Policy: it tells the browser which features your page and its iframes are allowed to use. Pick each feature one at a time and choose whether it's blocked entirely, allowed only for the same origin, allowed for any origin, or limited to a custom list. The tool tags the well-known features (camera, microphone, geolocation, payment, USB, etc.) by category so you don't miss the one that bites you. Warnings catch unsafe defaults — wildcards that hand the feature to every embedded origin, custom lists missing a scheme.
Presets
Sensors
  • accelerometer
    Read accelerometer
  • gyroscope
    Read gyroscope
  • magnetometer
    Read magnetometer
  • ambient-light-sensor
    Read ambient light
Media capture
  • camera
    Use the user's camera
  • microphone
    Use the user's microphone
  • autoplay
    Autoplay media
  • display-capture
    Screen-share via getDisplayMedia
  • speaker-selection
    Pick output audio device
Payment & auth
  • payment
    Use the Payment Request API
  • publickey-credentials-get
    Use WebAuthn
Display
  • fullscreen
    Programmatically go fullscreen
  • picture-in-picture
    Open PIP video
  • screen-wake-lock
    Keep the screen awake
  • xr-spatial-tracking
    Use WebXR spatial tracking
Other
  • geolocation
    Read user location
  • clipboard-read
    Read clipboard contents
  • clipboard-write
    Write to clipboard
  • usb
    Use Web USB
  • serial
    Use Web Serial
  • bluetooth
    Use Web Bluetooth
  • idle-detection
    Detect user idle
  • midi
    Use Web MIDI
  • web-share
    Use the Web Share API
Response header
Permissions-Policy: autoplay=(self), fullscreen=(self), picture-in-picture=(self), clipboard-write=(self), web-share=(self)

Apply on every HTML response. Use Report-To + the `report-uri` directive (not built here) if you want browsers to send violations back to a collector.

How to use

  1. Start with the strict preset (everything off) and turn on only what your page actually needs.
  2. `self` is the right answer for most page-level features. `*` is rarely the right answer — it lets every iframe use the feature.
  3. Custom mode takes an allowlist of origins (`https://embed.example.com https://other.com`). `self` and `*` are tokens, anything else needs the full origin.

Frequently asked questions

Permissions-Policy vs Feature-Policy?
Same idea, new syntax. Feature-Policy used a space-separated list of origins per directive; Permissions-Policy uses structured-headers `feature=(origin1 origin2)`. Browsers honour Permissions-Policy now; serve both during the transition window if you support old browsers.
Why is wildcard `*` risky?
Wildcard hands the feature to every nested iframe — including third-party embeds you don't fully trust. If a malvertising or supply-chain compromise injects an iframe, `*` is the difference between 'they can spy with the camera' and 'they can't.'

Related tools

IP Address Inspector

Type an IPv4 or IPv6 address and see its class, scope (private / public / loopback / link-local), decimal value, binary, reverse-DNS notation, and /32 CIDR.

Network00

Port Number Reference

Searchable cheat sheet for ~60 standard TCP / UDP port numbers — from 22 (SSH) and 80 (HTTP) to 6379 (Redis) and 27017 (MongoDB).

Network00

DNS Record Reference

Searchable cheat sheet for DNS record types — A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, CAA, DNSSEC, SVCB / HTTPS — with examples.

Network00

Subnet Calculator (IPv4 / CIDR)

Parse an IPv4 CIDR into network address, broadcast, netmask, wildcard, host range, and class. Shows binary breakdown and private/public status.

Network00

User Agent Parser

Parse a User-Agent string into browser, engine, OS, device, and CPU. Detects 20+ bots including GPTBot, ClaudeBot, PerplexityBot.

Network00

HTTP Status Code Reference

Searchable list of every HTTP status code (1xx-5xx) with summary, RFC, when to use, and common pitfalls.

Network00