The web application does not return a Permissions-Policy header. The Permissions-Policy header (formerly named Feature-Policy) is a HTTP response header returned by web applications that restrict the functionality of the web application in the browser to help safeguard against malicious behavior introduced by attackers. For example, if the website does not need to access the microphone or camera, the feature policy can disable the microphone/camera APIs entirely so that a successful XSS attack would be unable to exploit them. The Permissions-Policy header is not yet a fully-fledged web standard, though it is widely implemented (particularly on mobile browsers, where control over microphone/camera access is most important).
Recommendation: Introduce a Permissions-Policy header that restricts the APIs available to client-side code to only those necessary for the web application to function correctly.
The web application does not return a Permissions-Policy header. The Permissions-Policy header (formerly named Feature-Policy) is a HTTP response header returned by web applications that restrict the functionality of the web application in the browser to help safeguard against malicious behavior introduced by attackers. For example, if the website does not need to access the microphone or camera, the feature policy can disable the microphone/camera APIs entirely so that a successful XSS attack would be unable to exploit them. The Permissions-Policy header is not yet a fully-fledged web standard, though it is widely implemented (particularly on mobile browsers, where control over microphone/camera access is most important).
Severity: Informational
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS Score: 0.0
Recommendation: Introduce a Permissions-Policy header that restricts the APIs available to client-side code to only those necessary for the web application to function correctly.