{"library":"permissions-policy","title":"Permissions Policy Middleware","description":"The `permissions-policy` package provides Express and Connect middleware for managing the `Permissions-Policy` HTTP header. This header controls which browser features and APIs (like camera, microphone, geolocation) are available to a document and its iframes, enhancing web security. It is the modern successor to the deprecated `Feature-Policy` header and is built upon the foundational work of Evan Hahn, a well-known contributor to web security middleware (e.g., Helmet). Currently stable at version 0.6.0, the package receives periodic updates, with recent releases focusing on improved ESM exports and increased flexibility in defining policy directives. Its primary differentiator is its dedicated, streamlined focus on this single, crucial security header, making it an ideal component for integration into broader security middleware suites.","language":"javascript","status":"active","last_verified":"Thu Apr 23","install":{"commands":["npm install permissions-policy"],"cli":null},"imports":["import permissionsPolicy from 'permissions-policy';","const permissionsPolicy = require('permissions-policy');","import type { PermissionsPolicyOptions } from 'permissions-policy';"],"auth":{"required":false,"env_vars":[]},"quickstart":{"code":"import express from 'express';\nimport permissionsPolicy from 'permissions-policy';\nimport { Request, Response, NextFunction } from 'express';\n\nconst app = express();\nconst port = 3000;\n\n// Apply the permissions-policy middleware early in your middleware chain.\napp.use(\n  permissionsPolicy({\n    features: {\n      fullscreen: ['self'],          // Allows fullscreen requests from the current origin.\n      vibrate: ['none'],             // Disables the Vibration API entirely.\n      payment: ['self', 'https://example.com'], // Allows Payment Request API from 'self' and 'example.com'.\n      syncXhr: [],                   // Disables synchronous XMLHttpRequest.\n      accelerometer: ['self'],       // Allows accelerometer access from 'self'.\n      camera: ['*'],                 // Allows camera access from any origin (use with caution).\n      interestCohort: ['*']          // Allows FLoC/Interest Cohort API from any origin.\n    },\n    // Custom or experimental directives can be added since v0.6.0\n    'my-experimental-feature': ['self', 'https://cdn.my-site.com'],\n  })\n);\n\napp.get('/', (req: Request, res: Response) => {\n  res.send('Hello! Check your response headers for Permissions-Policy.');\n});\n\napp.get('/test-policy', (req: Request, res: Response) => {\n  res.status(200).send('This page has a Permissions-Policy header set.');\n});\n\napp.listen(port, () => {\n  console.log(`Server listening at http://localhost:${port}`);\n  console.log('Open http://localhost:3000 in your browser and inspect network headers.');\n});","lang":"typescript","description":"This quickstart initializes an Express app and applies the `permissions-policy` middleware to set the `Permissions-Policy` HTTP header with common feature configurations, demonstrating how to enable or disable various browser APIs for a web application.","tag":null,"tag_description":null,"last_tested":null,"results":[]},"compatibility":null}