{"id":17869,"library":"permissions-policy","title":"Permissions Policy Middleware","description":"The `permissions-policy` package provides Express and Connect middleware for managing the `Permissions-Policy` HTTP header. This header controls which browser features and APIs (like camera, microphone, geolocation) are available to a document and its iframes, enhancing web security. It is the modern successor to the deprecated `Feature-Policy` header and is built upon the foundational work of Evan Hahn, a well-known contributor to web security middleware (e.g., Helmet). Currently stable at version 0.6.0, the package receives periodic updates, with recent releases focusing on improved ESM exports and increased flexibility in defining policy directives. Its primary differentiator is its dedicated, streamlined focus on this single, crucial security header, making it an ideal component for integration into broader security middleware suites.","status":"active","version":"0.6.0","language":"javascript","source_language":"en","source_url":"git://github.com/pedro-gbf/permissions-policy","tags":["javascript","helmet","security","express","connect","permissions-policy","typescript"],"install":[{"cmd":"npm install permissions-policy","lang":"bash","label":"npm"},{"cmd":"yarn add permissions-policy","lang":"bash","label":"yarn"},{"cmd":"pnpm add permissions-policy","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"This package is an Express/Connect middleware and is intended to be used within an Express application.","package":"express","optional":true},{"reason":"This package is an Express/Connect middleware and is intended to be used within a Connect-compatible application.","package":"connect","optional":true}],"imports":[{"note":"The main middleware function is exported as a default export for ESM.","wrong":"import { permissionsPolicy } from 'permissions-policy';","symbol":"permissionsPolicy","correct":"import permissionsPolicy from 'permissions-policy';"},{"note":"For CommonJS, the module exports the middleware function directly. The package supports dual CommonJS/ESM exports since v0.5.0.","wrong":"const { permissionsPolicy } = require('permissions-policy');","symbol":"permissionsPolicy","correct":"const permissionsPolicy = require('permissions-policy');"},{"note":"Import the type definition for configuring the middleware. The package ships with TypeScript types.","symbol":"PermissionsPolicyOptions","correct":"import type { PermissionsPolicyOptions } from 'permissions-policy';"}],"quickstart":{"code":"import express from 'express';\nimport permissionsPolicy from 'permissions-policy';\nimport { Request, Response, NextFunction } from 'express';\n\nconst app = express();\nconst port = 3000;\n\n// Apply the permissions-policy middleware early in your middleware chain.\napp.use(\n  permissionsPolicy({\n    features: {\n      fullscreen: ['self'],          // Allows fullscreen requests from the current origin.\n      vibrate: ['none'],             // Disables the Vibration API entirely.\n      payment: ['self', 'https://example.com'], // Allows Payment Request API from 'self' and 'example.com'.\n      syncXhr: [],                   // Disables synchronous XMLHttpRequest.\n      accelerometer: ['self'],       // Allows accelerometer access from 'self'.\n      camera: ['*'],                 // Allows camera access from any origin (use with caution).\n      interestCohort: ['*']          // Allows FLoC/Interest Cohort API from any origin.\n    },\n    // Custom or experimental directives can be added since v0.6.0\n    'my-experimental-feature': ['self', 'https://cdn.my-site.com'],\n  })\n);\n\napp.get('/', (req: Request, res: Response) => {\n  res.send('Hello! Check your response headers for Permissions-Policy.');\n});\n\napp.get('/test-policy', (req: Request, res: Response) => {\n  res.status(200).send('This page has a Permissions-Policy header set.');\n});\n\napp.listen(port, () => {\n  console.log(`Server listening at http://localhost:${port}`);\n  console.log('Open http://localhost:3000 in your browser and inspect network headers.');\n});","lang":"typescript","description":"This quickstart initializes an Express app and applies the `permissions-policy` middleware to set the `Permissions-Policy` HTTP header with common feature configurations, demonstrating how to enable or disable various browser APIs for a web application."},"warnings":[{"fix":"Ensure you are using the `Permissions-Policy` header and its syntax, as `Feature-Policy` is no longer supported by modern browsers.","message":"The `Feature-Policy` HTTP header, which this package is based on, has been officially deprecated in favor of `Permissions-Policy`. While this middleware sets the current standard, users migrating from older `Feature-Policy` implementations should ensure they update their policies and expectations accordingly.","severity":"breaking","affected_versions":"all"},{"fix":"Carefully review all feature names and their values in your configuration to ensure they are valid Permissions Policy directives, especially when adding new or experimental ones. The middleware will no longer prevent potentially invalid directives from being sent.","message":"Since version 0.6.0, the middleware has removed internal restrictions on which directives (feature names) can be set. This means any key provided in the `features` object will be included in the header, even if it's not a standard or officially supported Permissions Policy directive. This offers flexibility but removes a layer of validation that might have caught typos or unsupported features in previous versions.","severity":"gotcha","affected_versions":">=0.6.0"},{"fix":"For CommonJS environments, ensure your Node.js version supports dual-packaging correctly, or if using a bundler, confirm it correctly interprets the `main` or `exports` field in the package's `package.json`. For modern applications, prefer ESM imports: `import permissionsPolicy from 'permissions-policy';`.","message":"Starting with version 0.5.0, the package exports were changed to prioritize ES6 modules for smaller bundle sizes. While dual-packaging is generally supported, some older CommonJS-only environments or specific bundler configurations might encounter issues if they do not correctly resolve the CommonJS entry point.","severity":"gotcha","affected_versions":">=0.5.0"}],"env_vars":null,"last_verified":"2026-04-23T00:00:00.000Z","next_check":"2026-07-22T00:00:00.000Z","problems":[{"fix":"For ESM, use `import permissionsPolicy from 'permissions-policy';`. For CommonJS, use `const permissionsPolicy = require('permissions-policy');`. Verify your `tsconfig.json` (if TypeScript) and `package.json` `type` field are correctly configured for your project's module system.","cause":"This usually indicates an incorrect import or require statement, especially when mixing CommonJS and ES Modules syntax, or if the module resolution is misconfigured.","error":"TypeError: permissionsPolicy is not a function"},{"fix":"Change your import statement to use ESM syntax: `import permissionsPolicy from 'permissions-policy';`. If you need to use CommonJS modules, ensure your file is treated as CommonJS (e.g., `.cjs` extension or `type: \"commonjs\"` in `package.json`).","cause":"You are attempting to use `require()` within an ES module file (`.mjs` or a `.js` file when `type: \"module\"` is set in `package.json`).","error":"ReferenceError: require is not defined in ES module scope"},{"fix":"Ensure `app.use(permissionsPolicy(...))` is called early in your application's setup, typically before any route handlers or other middleware that might send a response. Also, verify that the `features` configuration object is correctly structured and not empty.","cause":"The middleware might not be active, or it's placed too late in the Express/Connect middleware chain after the response has already been sent or modified.","error":"Permissions-Policy header not present in response"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}