Feature-Policy header is not supported

[GaProgMan]

Description

The OwaspHeaders.Core middleware does not yet include support for Feature-Policy which is a header related to enabling or disabling certain JavaScript API features.

Quote from Scott Helme's blog:

TheFeature Policy is being created to allow site owners to enable and disable certain web platform features on their own pages and those they embed. Being able to restrict the features your site can use is really nice but being able to restrict features that sites you embed can use is an even better protection to have.

Source: A new security header: Feature Policy

Links to Header Information

• A new security header: Feature Policy
• RFC document
• Feature-Policy GitHub spec

[GaProgMan]

Due to an update to Security Headers (see footnote), which is a tool that a lot of users use to check their website security headers, this header should be implemented as soon as possible.

Footnote

Security Headers Updates - published July 22nd, 2019

[jamie-taylor-rjj]

Feature-Policy has been deprecated in favour of Permissions-Policy. This issue should be closed. See: https://owasp.org/www-project-secure-headers/#feature-policy for further details.