Permissions-Policy Header Checker

Checks whether a website returns the Permissions-Policy response header (and optionally the legacy Feature-Policy header).

Permissions-Policy controls what powerful browser features are allowed (camera, microphone, geolocation, etc.). Misconfiguration can increase security/privacy risk.

What the Actor does

For each URL it:

1. Fetches response headers (HEAD first, optional GET fallback)
2. Parses Permissions-Policy (and Feature-Policy if enabled)
3. Flags missing headers, invalid directives, and risky * wildcards for sensitive features
4. Outputs per-URL results plus SUMMARY and REPORT

Input

• Start URLs (startUrls): Request List Sources format
• Request strategy (requestStrategy): HEAD-only, GET-only, or HEAD→GET fallback
• Accept legacy Feature-Policy (acceptLegacyFeaturePolicy): if Permissions-Policy is missing, parse Feature-Policy
• Warn when missing (warnOnMissing): warn if neither header is present

Plus: maxUrls, timeoutSecs, followRedirects, maxRedirects, maxConcurrency, proxyConfiguration.

Output

Dataset (per-URL results)

Each item contains:

• startUrl, finalUrl, statusCode, usedMethod, timingMs, checkedAt
• permissionsPolicyRaw, featurePolicyRaw
• effectiveHeaderName, effectiveHeaderRaw
• directives, invalidDirectives
• sensitiveWildcardFeatures
• score, ok, warningCount, errorCount, issues

Key-value store

• SUMMARY: aggregate stats and top issues
• REPORT: same as summary (structured JSON)

Example input

{
  "startUrls": [
    { "url": "https://example.com" },
    { "url": "https://httpbin.org/response-headers?Permissions-Policy=geolocation%3D(self)" }
  ],
  "maxUrls": 2,
  "timeoutSecs": 20,
  "requestStrategy": "HEAD_THEN_GET",
  "acceptLegacyFeaturePolicy": true,
  "warnOnMissing": true,
  "maxConcurrency": 5,
  "proxyConfiguration": { "useApifyProxy": false }
}

Quick start

Store page: https://apify.com/scrappy_garden/permissions-policy-header-checker

Paste this into Input and click Run:

{
  "startUrls": [
    {
      "url": "https://example.com/"
    }
  ],
  "proxyConfiguration": {
    "useApifyProxy": false
  }
}

Outputs (what you get)

• Dataset: Dataset items typically include fields like: startUrl, finalUrl, statusCode, usedMethod, effectiveHeaderName, sensitiveWildcardFeatures, score, ok, warningCount, errorCount.
• Key-value store: REPORT, SUMMARY

Tips (trust + predictable results)

• Start with 1–3 URLs to validate behavior, then scale up.
• If a target blocks requests, enable Proxy and/or slow down concurrency in Input.
• Use the SUMMARY / REPORT keys (when present) for automation pipelines and monitoring.

Related actors

• security-headers-checker (https://apify.com/scrappy_garden/security-headers-checker)
• hsts-header-checker (https://apify.com/scrappy_garden/hsts-header-checker)
• cache-control-checker (https://apify.com/scrappy_garden/cache-control-checker)
• content-type-header-validator (https://apify.com/scrappy_garden/content-type-header-validator)

Search keywords

permissions policy header checker, permissions-policy header checker - audit browser feature permissions, website audit, seo, http headers