diff --git a/hopglass-frontend.nix b/hopglass-frontend.nix
index f7126e3..894d01c 100644
--- a/hopglass-frontend.nix
+++ b/hopglass-frontend.nix
@@ -13,12 +13,14 @@ in
     root = "${hopglass-fe}";
     extraConfig = ''
       access_log off;
+      add_header Permissions-Policy "interest-cohort=()" always;
     '';
     locations."/" = {
         extraConfig = ''
           index index.html;
           etag off;
           add_header etag "\"${builtins.substring 11 32 hopglass-fe}\"";
+          add_header Permissions-Policy "interest-cohort=()" always;
         '';
     };
   };
diff --git a/postfixadmin.nix b/postfixadmin.nix
index 7a8a2c1..da0e352 100644
--- a/postfixadmin.nix
+++ b/postfixadmin.nix
@@ -30,10 +30,12 @@ in
 
       etag off;
       add_header etag "\"${builtins.substring 11 32 postfixadminpkg}\"";
+      add_header Permissions-Policy "interest-cohort=()" always;
 
       index index.php;
 
       location ~* \.php$ {
+        add_header Permissions-Policy "interest-cohort=()" always;
         # Zero-day exploit defense.
         # http://forum.nginx.org/read.php?2,88845,page=3
         # Won't work properly (404 error) if the file is not stored on this
diff --git a/roundcube.nix b/roundcube.nix
index 5d90b90..c466ef8 100644
--- a/roundcube.nix
+++ b/roundcube.nix
@@ -34,23 +34,28 @@ in
     root = "${roundcube}/public_html";
     extraConfig = ''
       access_log off;
-    '';
+      add_header Permissions-Policy "interest-cohort=()" always;
+      '';
     locations."~ ^/favicon.ico/.*$" = {
-        extraConfig = "try_files $uri kins/larry/images/$uri;";
+      extraConfig = ''
+        try_files $uri kins/larry/images/$uri;
+        add_header Permissions-Policy "interest-cohort=()" always;
+        '';
     };
     locations."/" = {
-        extraConfig = ''
-          index index.php;
-          try_files $uri /public/$uri /index.php$is_args$args;
-
-          etag off;
-          add_header etag "\"${builtins.substring 11 32 roundcube}\"";
+      extraConfig = ''
+        index index.php;
+        try_files $uri /public/$uri /index.php$is_args$args;
+        etag off;
+        add_header etag "\"${builtins.substring 11 32 roundcube}\"";
+        add_header Permissions-Policy "interest-cohort=()" always;
         '';
     };
     locations."~ [^/]\.php(/|$)" = {
       extraConfig = ''
         etag off;
         add_header etag "\"${builtins.substring 11 32 roundcube}\"";
+        add_header Permissions-Policy "interest-cohort=()" always;
 
         fastcgi_split_path_info ^(.+?\.php)(/.*)$;
         if (!-f $document_root$fastcgi_script_name) {