{"id":6596,"library":"django-permissions-policy","title":"Django Permissions Policy","description":"django-permissions-policy is a Django middleware that sets the Permissions-Policy HTTP header on your Django application. This header allows web developers to selectively enable or disable various browser features and APIs (e.g., camera, geolocation, autoplay) for the current document and any embedded iframes, enhancing security and privacy. The library, currently at version 4.29.0, is actively maintained with a regular release cadence.","status":"active","version":"4.29.0","language":"en","source_language":"en","source_url":"https://github.com/adamchainz/django-permissions-policy","tags":["django","security","http header","permissions-policy","middleware","browser features"],"install":[{"cmd":"pip install django-permissions-policy","lang":"bash","label":"Install with pip"}],"dependencies":[{"reason":"Core framework requirement for middleware integration.","package":"Django","version":">=4.2, <6.1"},{"reason":"Runtime environment.","package":"Python","version":">=3.10, <3.15"}],"imports":[{"symbol":"PermissionsPolicyMiddleware","correct":"from django_permissions_policy import PermissionsPolicyMiddleware"}],"quickstart":{"code":"# settings.py\n\nMIDDLEWARE = [\n    # ...\n    \"django.middleware.security.SecurityMiddleware\",\n    \"django_permissions_policy.PermissionsPolicyMiddleware\",\n    # ...\n]\n\nPERMISSIONS_POLICY = {\n    \"accelerometer\": [],\n    \"ambient-light-sensor\": [],\n    \"autoplay\": [],\n    \"camera\": [],\n    \"display-capture\": [],\n    \"encrypted-media\": [],\n    \"fullscreen\": [],\n    \"geolocation\": [],\n    \"gyroscope\": [],\n    \"interest-cohort\": [],\n    \"magnetometer\": [],\n    \"microphone\": [],\n    \"midi\": [],\n    \"payment\": [],\n    \"usb\": [],\n}\n\n# Or for report-only mode:\n# PERMISSIONS_POLICY_REPORT_ONLY = {\n#     \"geolocation\": [\"self\"],\n#     \"camera\": [],\n# }","lang":"python","description":"Add `PermissionsPolicyMiddleware` to your `MIDDLEWARE` setting, ideally after Django's `SecurityMiddleware`. Then, define your desired policy using the `PERMISSIONS_POLICY` dictionary in your `settings.py` file. You can also use `PERMISSIONS_POLICY_REPORT_ONLY` for testing policies without enforcing them."},"warnings":[{"fix":"Update middleware path in `settings.py` to `django_permissions_policy.PermissionsPolicyMiddleware` and setting names to `PERMISSIONS_POLICY` or `PERMISSIONS_POLICY_REPORT_ONLY`.","message":"The library was renamed from `django-feature-policy` to `django-permissions-policy` in version 4.0.0. The middleware class was renamed from `FeaturePolicyMiddleware` to `PermissionsPolicyMiddleware`, and the setting from `FEATURE_POLICY` to `PERMISSIONS_POLICY`. While old names are supported as aliases for backward compatibility, it's recommended to update to the new names.","severity":"breaking","affected_versions":">=4.0.0"},{"fix":"Ensure policy values for origins are raw strings without extraneous quotes, e.g., `['self', 'https://example.com']`.","message":"When specifying origins in your policy settings (e.g., for `PERMISSIONS_POLICY`), use Python strings like `'self'`, `'*'`, or `'https://example.com'`. Do not include double quotes around domain names, as the middleware automatically adds them for the HTTP header. For example, use `'https://example.com'` instead of `\"https://example.com\"`.","severity":"gotcha","affected_versions":"All"},{"fix":"Replace `\"feature-name\": \"none\"` with `\"feature-name\": []`.","message":"To entirely disallow a feature (no origins allowed), use an empty list `[]` as its value in the policy dictionary. The legacy value `'none'` is supported for backward compatibility but is ignored and should be replaced with `[]`.","severity":"gotcha","affected_versions":"All"},{"fix":"Refer to the W3C spec or MDN for a full list of valid feature names and ensure correct origin syntax. Check Django logs for `ImproperlyConfigured` errors during startup.","message":"Incorrect keys or values in `PERMISSIONS_POLICY` or `PERMISSIONS_POLICY_REPORT_ONLY` settings can raise an `ImproperlyConfigured` exception. Browsers may also log warnings for features they don't recognize; these can generally be ignored if the names are valid according to the W3C spec, as the library performs basic validation.","severity":"gotcha","affected_versions":"All"},{"fix":"Verify that `django_permissions_policy.PermissionsPolicyMiddleware` is positioned correctly in your `MIDDLEWARE` list.","message":"The placement of `PermissionsPolicyMiddleware` within your `MIDDLEWARE` list in `settings.py` is crucial. It's recommended to place it after `django.middleware.security.SecurityMiddleware` to ensure it integrates correctly within Django's security stack.","severity":"gotcha","affected_versions":"All"}],"env_vars":null,"last_verified":"2026-04-15T00:00:00.000Z","next_check":"2026-07-14T00:00:00.000Z","problems":[]}