# ---------------------------------------------------------------------- # | Permissions Policy | # ---------------------------------------------------------------------- # Set a strict Permissions Policy to mitigate access to browser features. # # The header uses a structured syntax, and allows sites to more tightly # restrict which origins can be granted access to features. # The list of available features: https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md # # The example policy below aims to disable all features expect synchronous # `XMLHttpRequest` requests on the same origin. # # To check your Permissions Policy, you can use an online service, such as: # https://securityheaders.com/ # https://observatory.mozilla.org/ # # https://www.w3.org/TR/permissions-policy-1/ # https://owasp.org/www-project-secure-headers/#permissions-policy # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy # https://scotthelme.co.uk/a-new-security-header-feature-policy/ add_header Permissions-Policy $permissions_policy always;