Feature Policy Security Header

A new security header has been added to the https://securityheaders.com/ checking service, the Feature Policy header.

The Feature Policy is a new header that allows a site to control which features and APIs can be used in the browser. In my case, on my both websites, I had blocked everything except the fullscreen feature.

This is the line I inserted in my ngnix configuration file to do that:

add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker none;vibrate none;fullscreen self;payment none;";

References

• Feature Policy - Draft Community Group Report, 26 July 2018 https://wicg.github.io/feature-policy/
• Introduction to Feature Policy by Eric Bidelman https://developers.google.com/web/updates/2018/06/feature-policy
• A new security header: Feature Policy <a href="https://scotthelme.co.uk/a-new-security-header-feature-policy/" title="A new security header: Feature Policy" https://scotthelme.co.uk/a-new-security-header-feature-policy/target="_blank">https://scotthelme.co.uk/a-new-security-header-feature-policy/

Analyse your HTTP response headers

Scan your site now at https://securityheaders.com/ and get a decent grade like A or A+, please.