Sec-Fetch-User header
Limited availability
This feature is not Baseline because it does not work in some of the most widely-used browsers.
The HTTPSec-Fetch-Userfetch metadata request header is sent for requests initiated by user activation, and its value is always?1.
A server can use this header to identify whether a navigation request from a document, iframe, etc., was originated by the user.
| Header type | Fetch Metadata Request Header |
|---|---|
| Forbidden request header | Yes (Sec- prefix) |
| CORS-safelisted request header | No |
Syntax
http
Sec-Fetch-User: ?1Directives
The value will always be?1. When a request is triggered by something other than a user activation, the spec requires browsers to omit the header completely.
Examples
Using Sec-Fetch-User
If a user clicks on a page link to another page on the same origin, the resulting request would have the following headers:
http
Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Specifications
| Specification |
|---|
| Fetch Metadata Request Headers # sec-fetch-user-header |
Browser compatibility
See also
Sec-Fetch-Dest,Sec-Fetch-Mode,Sec-Fetch-Sitefetch metadata request headers- Protect your resources from web attacks with Fetch Metadata (web.dev)
- Fetch Metadata Request Headers playground (secmetadata.appspot.com)