How to Block FLoC using Nginx, Apache, WordPress, HAProxy and more?

FLoC or Federated Learning of Cohorts is a recent rollout by Google to replace third-party cookies with their own user surveillance built-in browser itself.

This is essentially a built-in Chrome browser itself and privacy concerned people can switch to another privacy concerned browser to avoid being tracked. But website owners can also opt-out of FLoC by making some simple modifications in their web server HTTP response header.

I would suggest checking out this Google and GitHub page to learn more about FLoC.

In this article, we’ll cover ways that you as a website owner can use to opt-out of FLoC by simple configuration change in web servers.

Custom HTTP Header

A custom HTTP response header ensures that the website owner is opting out of FLoC. The response header for this is:

Permissions-Policy: interest-cohort=()

Let’s see the implementation.


For NGINX, you need to add add_header directive within each server block (if a single configuration file is being used for multiple websites) or to each respective server configuration file.


And then restart NGINX service:

systemctl restart nginx

Alternatively, you can follow another approach by adding the below in the http block.

add_header Permissions-Policy "interest-cohort=()";

It would look like below in HTTP response headers.

HTTP/1.1 200 OK
Server: nginx/1.14.1
Date: Fri, 30 Apr 2021 06:37:02 GMT
Content-Type: text/html
Content-Length: 4057
Last-Modified: Mon, 07 Oct 2019 21:16:24 GMT
Connection: keep-alive
ETag: "5d9bab28-fd9"
Permissions-Policy: interest-cohort=()
Accept-Ranges: bytes


For Apache web server, add the custom header in your configuration file as:

<IfModule mod_headers.c>
  Header always set Permissions-Policy: interest-cohort=()

Then restart Apache to make it effective:

systemctl restart httpd

Which will have an output like below.

HTTP/1.1 200 OK
Date: Fri, 30 Apr 2021 06:49:58 GMT
Server: Apache/2.4.37 (centos)
Permissions-Policy: interest-cohort=()
Last-Modified: Thu, 29 Apr 2021 06:40:41 GMT
ETag: "3-5c116c620a6f1"
Accept-Ranges: bytes
Content-Length: 3
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


If your WordPress is shared hosting, you won’t have the option to edit the webserver configuration file. But good news is, you can set headers in its codebase via hooks. In your active theme’s function.php, add the following lines at the end:

	function ( $headers ) 

Save the file in the WordPress admin backend and the header should be pushed in all new requests. Make sure to clear cache in its mechanism/plugin to make the new header effective.

Here is how my implementation output looks like.

cache-control: no-cache, must-revalidate, max-age=0
content-encoding: br
content-type: text/html; charset=UTF-8
date: Fri, 30 Apr 2021 13:40:14 GMT
expires: Wed, 11 Jan 1984 05:00:00 GMT
host-header: 6b7412fb82ca5edfd0917e3957f05d89
link: <>; rel=""
permissions-policy: interest-cohort=()
server: nginx
set-cookie: wpSGCacheBypass=1; expires=Fri, 30-Apr-2021 15:20:14 GMT; Max-Age=6000; path=/; HttpOnly; SameSite=Lax
vary: Accept-Encoding
x-cache-enabled: True
x-httpd: 1
x-proxy-cache: BYPASS
x-proxy-cache-info: 0 NC:100000 UP:SKIP_CACHE_SET_COOKIE

Another easy solution would be to use the HTTP Headers plugin.


HAProxy allows adding the header directive in its configuration. In frontend, listen or backend section of the configuration (whichever applicable), add the following directive:

http-response set-header Permissions-Policy interest-cohort=()

Make sure to restart your HAProxy server as:

systemctl restart haproxy

This will make the header effective for all new requests.


Traefik, mostly used as an ingress controller for the containerized environment, can be configured to opt out of FLoC similar to the above servers. In your traefik.toml file, add the following lines:

        Permissions-Policy = "interest-cohort=()"

Or for YAML based configuration (traefik.yml) use:

          Permissions-Policy: "interest-cohort=()"

Or if using Traefik with Docker, modify the traefik label in docker-compose.yml as:

  - "traefik.http.middlewares.floc.headers.customresponseheaders.Permissions-Policy=interest-cohort=()"


FLoC is a new surveillance mechanism and if you don’t want to show an interest-based advertisement on your website, you can opt-out by implementing Permissions Policy headers as explained above. As a user, you can check out this dedicated page (Am I FloCed?) to see if you’re being tracked with FLoC.

Deja un comentario