Updating to Permissions policy header using Cloudflare workers

I’ve previously written about using Cloudflare workers to add security headers to various sites, in particular static sites such as this blog. If you’ve not read that post I’d highly recommend starting there first as this post will not cover the details again.

Recently I saw the following Tweet:

The Feature Policy header is being replaced with the Permissions Policy, it’s not a simple rename either it requires a minor tweak to the format.

As a result of this change this blog is not longer A+ rated, luckily because I’m using Cloudflare workers to add the headers I can make a quick change to the workers and fix this issue. One of the key benefits of using a platform like Cloudflare workers is I can do this without needing to re-deploy anything else.

Before we make any changes, we can see we’ve dropped to an A rating (oh the horror!) and the Security Headers scanner is highlighting the missing header.

security headers screenshot showing A rating

Currently our feature policy header is defined as:

  response.headers.set('Feature-Policy', 'accelerometer \'none\'; camera \'none\'; geolocation \'none\'; gyroscope \'none\'; magnetometer \'none\'; microphone \'none\'; payment \'none\'; usb \'none\'');

We need to change this to meet the requirements of the new Permissions policy header.

    response.headers.set('Permissions-Policy', 'accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()');

This change took less than 5 mins to make and rollout, the hardest bit being to format the string properly (admittedly, as my policy is very basic it didn’t require extensive testing).

Now we’re back to the A+ rating as before

Scan results after making header changes showing A+

Hopefully this post demonstrates how easily you can make changes to your sites without the concern/overhead of having to re-deploy everything.

Also check out Scott Helme’s blog post which goes into more detail around the changes you need to make to your policy if it’s not as simple as mine.

As a reminder I’m not paying a penny for these Cloudflare workers (see the previous post which goes into pricing details).

Shout out to Scott Helme and Security Headers for their awesome work :)