Feature Policy Middleware

0.6.0 · maintenance · verified Wed Apr 22

This package, `feature-policy` (current stable version 0.6.0), provides Express/Connect middleware for setting the `Feature-Policy` HTTP header. This header allows web developers to selectively enable or disable browser features and APIs for a document or specific frames, helping to enhance security and user experience by preventing misuse of powerful features like geolocation or camera access. Key differentiators include its simple, object-based configuration API, which supports a wide array of browser features such as `fullscreen`, `vibrate`, `payment`, and `syncXhr`, making it easy to manage permissions. However, it is crucial for users to understand that the `Feature-Policy` header itself has been deprecated by browsers in favor of the more modern `Permissions-Policy`. Consequently, this module is now in maintenance mode, meaning it will continue to be supported for existing implementations but will not receive new features or updates to align with future browser developments. Its release cadence is effectively halted, focusing only on critical bug fixes to ensure stability for current users. Users are advised to consider migrating to `Permissions-Policy` for new projects or plan for eventual migration.

Common errors

Warnings

Install

Imports

Quickstart

Demonstrates how to integrate and configure `feature-policy` middleware in an Express application to set browser feature permissions, applying a policy to all incoming requests.

const express = require('express');
const featurePolicy = require('feature-policy');
const app = express();

app.use(
  featurePolicy({
    features: {
      fullscreen: ["'self'"],
      vibrate: ["'none'"],
      payment: ["example.com"],
      syncXhr: ["'none'"]
    }
  })
);

app.get('/', (req, res) => {
  res.send('Hello World! Check your response headers for Feature-Policy.');
});

const PORT = process.env.PORT ?? 3000;
app.listen(PORT, () => {
  console.log(`Server listening on port ${PORT}`);
});

view raw JSON →