diff --git a/apps/routerconsole/jsp/css.jsi b/apps/routerconsole/jsp/css.jsi
index c9a1708df679770aa0bae34ed593a51d5c83cbb9..aad30f9b97e9688b4dcc53a47d355e5f4f9b5e87 100644
--- a/apps/routerconsole/jsp/css.jsi
+++ b/apps/routerconsole/jsp/css.jsi
@@ -48,9 +48,10 @@
       // unsafe-inline is a fallback for browsers not supporting nonce
       // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
       response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'nonce-" + cspNonce + "'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
-      response.setHeader("X-XSS-Protection", "1; mode=block");
-      response.setHeader("X-Content-Type-Options", "nosniff");
    }
+   response.setHeader("X-XSS-Protection", "1; mode=block");
+   response.setHeader("X-Content-Type-Options", "nosniff");
+   response.setHeader("Permissions-Policy", "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture(), fullscreen=(self), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=(), vibrate=(), vr=()");
    // https://www.w3.org/TR/referrer-policy/
    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
    // As of Chrome 56, Firefox 50, Opera 43. "same-origin" not widely supported.