{"id":17128,"library":"feature-policy","title":"Feature Policy Middleware","description":"This package, `feature-policy` (current stable version 0.6.0), provides Express/Connect middleware for setting the `Feature-Policy` HTTP header. This header allows web developers to selectively enable or disable browser features and APIs for a document or specific frames, helping to enhance security and user experience by preventing misuse of powerful features like geolocation or camera access. Key differentiators include its simple, object-based configuration API, which supports a wide array of browser features such as `fullscreen`, `vibrate`, `payment`, and `syncXhr`, making it easy to manage permissions. However, it is crucial for users to understand that the `Feature-Policy` header itself has been deprecated by browsers in favor of the more modern `Permissions-Policy`. Consequently, this module is now in maintenance mode, meaning it will continue to be supported for existing implementations but will not receive new features or updates to align with future browser developments. Its release cadence is effectively halted, focusing only on critical bug fixes to ensure stability for current users. Users are advised to consider migrating to `Permissions-Policy` for new projects or plan for eventual migration.","status":"maintenance","version":"0.6.0","language":"javascript","source_language":"en","source_url":"git://github.com/helmetjs/feature-policy","tags":["javascript","helmet","security","express","connect","feature-policy","typescript"],"install":[{"cmd":"npm install feature-policy","lang":"bash","label":"npm"},{"cmd":"yarn add feature-policy","lang":"bash","label":"yarn"},{"cmd":"pnpm add feature-policy","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"This module uses a default export for the middleware function. For TypeScript, use `import featurePolicy from 'feature-policy';` to correctly import the function and its types.","wrong":"import { featurePolicy } from 'feature-policy';","symbol":"featurePolicy","correct":"import featurePolicy from 'feature-policy';"},{"note":"In CommonJS environments, the middleware function is the default export and is accessed directly from the `require` call.","wrong":"const { featurePolicy } = require('feature-policy');","symbol":"featurePolicy","correct":"const featurePolicy = require('feature-policy');"},{"note":"Type import for configuring the middleware options, available since the package ships TypeScript types. Useful for strict type checking in TypeScript projects.","symbol":"FeaturePolicyOptions","correct":"import type { FeaturePolicyOptions } from 'feature-policy';"}],"quickstart":{"code":"const express = require('express');\nconst featurePolicy = require('feature-policy');\nconst app = express();\n\napp.use(\n featurePolicy({\n features: {\n fullscreen: [\"'self'\"],\n vibrate: [\"'none'\"],\n payment: [\"example.com\"],\n syncXhr: [\"'none'\"]\n }\n })\n);\n\napp.get('/', (req, res) => {\n res.send('Hello World! Check your response headers for Feature-Policy.');\n});\n\nconst PORT = process.env.PORT ?? 3000;\napp.listen(PORT, () => {\n console.log(`Server listening on port ${PORT}`);\n});","lang":"javascript","description":"Demonstrates how to integrate and configure `feature-policy` middleware in an Express application to set browser feature permissions, applying a policy to all incoming requests."},"warnings":[{"fix":"Migrate to using `Permissions-Policy` headers directly or a module designed for `Permissions-Policy` to ensure future browser compatibility and security for new projects. This module should only be used for maintaining legacy systems.","message":"The `Feature-Policy` HTTP header, which this module sets, has been officially deprecated by all major browsers. It is being superseded by the `Permissions-Policy` header.","severity":"breaking","affected_versions":">=0.1.0"},{"fix":"Evaluate the need for `feature-policy` in new projects carefully. For existing projects, plan for eventual migration to `Permissions-Policy` to avoid relying on a module with static support.","message":"This `feature-policy` module is currently in maintenance mode. No new features, updates to support new browser features, or general enhancements will be added, unless they are critical bug fixes.","severity":"gotcha","affected_versions":">=0.6.0"},{"fix":"Thoroughly test all policy configurations across different browsers and user flows. Start with strict policies and gradually relax them if necessary, meticulously observing browser console warnings/errors related to feature blocking.","message":"Incorrectly configured `feature-policy` directives can unintentionally block legitimate browser features on your site (e.g., fullscreen mode, camera access), leading to a degraded user experience or broken functionality.","severity":"gotcha","affected_versions":"*"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Ensure you are using `app.use(featurePolicy({...}));` in CommonJS or `import featurePolicy from 'feature-policy'; app.use(featurePolicy({...}));` in ESM, correctly invoking the module as a factory function with options.","cause":"Attempting to call the `feature-policy` module directly without passing configuration to its default exported function, or an incorrect import statement (e.g., named import for a default export).","error":"TypeError: featurePolicy is not a function"},{"fix":"Review the `features` configuration within your `featurePolicy` middleware. Ensure that necessary origins (e.e.g., `'self'`, `'none'`, or specific domain names) are correctly applied. Check the browser's developer console for more specific details about the blocked feature and the violated policy.","cause":"A browser feature (like 'fullscreen' or 'geolocation') is being blocked by a `Feature-Policy` directive that is too restrictive or misconfigured for the current context.","error":"Refused to execute '' because it violates the document's feature policy."}],"ecosystem":"npm","meta_description":null}