How to Properly Configure Feature-Policy Header in Apache for Multimedia Sites


2 views

The Feature-Policy header (now officially renamed to Permissions-Policy) allows web developers to selectively enable, disable, and modify the behavior of certain browser features and APIs. For multimedia sites, it's particularly important to configure this properly to control access to sensitive features like camera, microphone, and autoplay.

The errors you're seeing occur because:

  • 'vibrate' is not a valid feature name (correct version is 'vibrate')
  • 'usermedia' should be 'camera' and 'microphone' separately
  • Origin URLs must be properly formatted with protocol (https://)

Here's the proper way to configure your .htaccess file:


Header always set Permissions-Policy "\
  accelerometer=(),\
  autoplay=(self \"https://youtube.com\" \"https://vimeo.com\"),\
  camera=(),\
  fullscreen=(self),\
  geolocation=(),\
  gyroscope=(),\
  magnetometer=(),\
  microphone=(),\
  payment=(),\
  sync-xhr=(self \"https://yourdomain.com\")"

For your multimedia site, focus on these critical policies:


# Allow autoplay only from your site and trusted embeds
autoplay=(self "https://youtube.com" "https://vimeo.com")

# Block camera and microphone access completely
camera=(), microphone=()

# Allow fullscreen for your own content
fullscreen=(self)

After implementing, verify using:

  1. Browser Dev Tools (Network tab)
  2. Online header checkers
  3. Feature-Policy validator tools

Note that modern browsers now use Permissions-Policy. For backward compatibility, you can include both:


Header always set Feature-Policy "\
  vibrate 'none';\
  camera 'none';\
  microphone 'none';\
  payment 'none';\
  autoplay 'self' https://youtube.com https://vimeo.com"

Header always set Permissions-Policy "\
  vibrate=(),\
  camera=(),\
  microphone=(),\
  payment=(),\
  autoplay=(self \"https://youtube.com\" \"https://vimeo.com\")"

The Feature-Policy header (now largely replaced by Permissions-Policy in newer browsers) allows web developers to control which browser features can be used on their site. For multimedia sites that handle user-uploaded content or embedded media, this is particularly important for security and privacy.

From your error messages, I can see several issues:

Error with Feature-Policy header: Unrecognized feature: 'vibrate'.
Error with Feature-Policy header: Unrecognized feature: 'usermedia'.
Error with Feature-Policy header: Unrecognized origin: 'mysiteURL.com'.

The main problems are:

  • Using deprecated feature names ('vibrate', 'usermedia')
  • Incorrect origin formatting
  • Mixing old and new syntax

Here's the proper way to implement this in your Apache configuration:

Header always set Permissions-Policy "\
accelerometer=(),\
autoplay=(self 'https://youtube.com' 'https://vimeo.com'),\
camera=(),\
geolocation=(),\
gyroscope=(),\
microphone=(),\
payment=(),\
sync-xhr=(self),\
usb=()"

For a site handling user media and embeds, pay special attention to:

# Allow embeds from specific domains
autoplay=(self 'https://youtube.com' 'https://vimeo.com')

# Restrict sensitive features
microphone=()
camera=()

After implementing, verify with:

curl -I https://yoursite.com

Or check browser developer tools under the Network tab.

Note that most modern browsers now use Permissions-Policy instead of Feature-Policy. The syntax is similar but with some important differences:

  • Feature names are now lowercase
  • Origin lists are more strictly formatted
  • Some features have been renamed

For backward compatibility, you might want to include both headers temporarily:

Header always set Feature-Policy "\
vibrate 'none'; \
usermedia 'none'; \
microphone 'none'"

Header always set Permissions-Policy "\
vibrate=(),\
camera=(),\
microphone=()"