fix: add permissions-policy header (#1059)

internal/api/http/header.go

@@ -30,6 +30,7 @@ const (
 	XContentTypeOptions     = "x-content-type-options"
 	ReferrerPolicy          = "referrer-policy"
 	FeaturePolicy           = "feature-policy"
+	PermissionsPolicy       = "permissions-policy"
 
 	ZitadelOrgID = "x-zitadel-orgid"
 )

internal/api/http/middleware/security_headers.go

@@ -70,6 +70,7 @@ func (h *headers) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	headers.Set(http_utils.XContentTypeOptions, "nosniff")
 	headers.Set(http_utils.ReferrerPolicy, "same-origin")
 	headers.Set(http_utils.FeaturePolicy, "payment 'none'")
+	headers.Set(http_utils.PermissionsPolicy, "payment=()")
 	//PLANNED: add expect-ct
 
 	h.handler.ServeHTTP(w, r)