In short: Helmet’s featurePolicy middleware lets you restrict which browser features can be used. For example, you can disable fullscreen or vibration APIs.

The “attack”

It’s a good idea to limit your code’s the surface area. Less stuff means less to attack.

Web browsers have lots of different features, from vibration to fullscreen to microphone access. While some of these can be useful, you may not wish to use all of them, and you may not want any third-party scripts you include to use them either.

The header

The Feature-Policy header tells browsers which features you can use. For example, if you want to disable notifications for everyone and allow payments from, you could send a header like this:

Feature-Policy: notifications 'none'; payments

Read more:

The code

Helmet’s featurePolicy middleware helps you set this header.

You can use this module as part of Helmet:

// Make sure you run "npm install helmet" to get the Helmet package.
const helmet = require('helmet')

  features: {
    fullscreen: ["'self'"],
    vibrate: ["'none'"],
    payment: [''],
    syncXhr: ["'none'"]

You can also use it as a standalone module:

// Make sure you run "npm install feature-policy" to get this package.
const featurePolicy = require('feature-policy')

  features: {
    vibrate: ["'self'"],
    syncXhr: ["'none'"]

The following features are currently supported:

  • accelerometer
  • ambientLightSensor
  • autoplay
  • camera
  • documentDomain
  • documentWrite
  • encryptedMedia
  • fontDisplayLateSwap
  • fullscreen
  • geolocation
  • gyroscope
  • layoutAnimations
  • legacyImageFormats
  • loadingFrameDefaultEager
  • magnetometer
  • microphone
  • midi
  • oversizedImages
  • payment
  • pictureInPicture
  • serial
  • speaker
  • syncScript
  • syncXhr
  • unoptimizedImages
  • unoptimizedLosslessImages
  • unoptimizedLossyImages
  • unsizedMedia
  • usb
  • verticalScroll
  • vibrate
  • vr
  • wakeLock
  • xr