diff --git a/internal/api/http/header.go b/internal/api/http/header.go
index abd6a36793..0263afb94e 100644
--- a/internal/api/http/header.go
+++ b/internal/api/http/header.go
@@ -30,6 +30,7 @@ const (
 	XContentTypeOptions     = "x-content-type-options"
 	ReferrerPolicy          = "referrer-policy"
 	FeaturePolicy           = "feature-policy"
+	PermissionsPolicy       = "permissions-policy"
 
 	ZitadelOrgID = "x-zitadel-orgid"
 )
diff --git a/internal/api/http/middleware/security_headers.go b/internal/api/http/middleware/security_headers.go
index ded18e7ae0..268861ced6 100644
--- a/internal/api/http/middleware/security_headers.go
+++ b/internal/api/http/middleware/security_headers.go
@@ -70,6 +70,7 @@ func (h *headers) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	headers.Set(http_utils.XContentTypeOptions, "nosniff")
 	headers.Set(http_utils.ReferrerPolicy, "same-origin")
 	headers.Set(http_utils.FeaturePolicy, "payment 'none'")
+	headers.Set(http_utils.PermissionsPolicy, "payment=()")
 	//PLANNED: add expect-ct
 
 	h.handler.ServeHTTP(w, r)