Feature Policy Header

An Express middleware for adding a FeaturePolicy header to web traffic. Exposes a single function, init, which decorates a response object with a Feature-Policy header.

Usage

This module is compatible with Node 16+ and is distributed on npm.

npm install --save @financial-times/feature-policy-header

After installing the module you can initialise it in your app's server file. This should be done before any routes are declared which will require the middleware.

+ const featurePolicy = require('@financial-times/feature-policy-header');

app.use(
+  featurePolicy.init()
)

Run your app and check in the Network tab to confirm that the expected headers have been set.

Restricted Features

The restricted features can be found in src/restricted-features.json. Each feature relates to a browser API which we want to disallow on our user-facing pages. Any attempt to access a restricted API will throw a console error.

The full list of compatible features is listed on https://featurepolicy.info/.

Report-To Header

The Report-To header is required to integrate with our Report URI account and dashboards. The Cyber Security team use Report URI to collect reports relating to security headers, such as Feature-Policy, to gain visibility on their use, monitor trends and detect problems.