5.18 Ensure HTTP Header Permissions-Policy is set appropriately

Information

The HTTP Permissions-Policy is a control that provides a way to allow or deny the use of certain browser features within a document or within any element in the document.

Rationale:

Having and using the ability to control browser features as needed with the directive follows the zero trust model and comply directly with CIS Controls section 2 of versions 7 and 8.

Impact:

You must only limit the origins and directives to what is needed to support the request. Limiting it too much may disrupt the ability to get a proper/expected response.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Perform the following to implement the recommended state:
Add or modify the Header directive for the Permissions-Policy header in the Apache configuration to have the appropriate condition as shown below.

Header set Permissions-Policy "<Directive> <allowlist>"

Default Value:

Permissions-Policy Policy is not set by Default

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|SC-7(8), 800-53|SI-7, 800-53|SI-7(1), CSCv7|2.7, CSCv7|9.4

Plugin: Unix

Control ID: ab12e72cc0c44e51dde12f230eab8ea1347265ee03e80c5062440cff078855c3