Sec-Fetch-User header
Baseline 2023Newly available
Since March 2023, this feature works across the latest devices and browser versions. This feature might not work in older devices or browsers.
The HTTP Sec-Fetch-User fetch metadata request header is sent for requests initiated by user activation, and its value is always ?1.
A server can use this header to identify whether a navigation request from a document, iframe, etc., was originated by the user.
| Header type | Fetch Metadata Request Header |
|---|---|
| Forbidden request header | Yes (Sec- prefix) |
| CORS-safelisted request header | No |
Syntax
http
Sec-Fetch-User: ?1
Directives
The value will always be ?1. When a request is triggered by something other than a user activation, the spec requires browsers to omit the header completely.
Examples
Using Sec-Fetch-User
If a user clicks on a page link to another page on the same origin, the resulting request would have the following headers:
http
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Specifications
| Specification |
|---|
| Fetch Metadata Request Headers # sec-fetch-user-header |
Browser compatibility
See also
Sec-Fetch-Dest,Sec-Fetch-Mode,Sec-Fetch-Sitefetch metadata request headers- Protect your resources from web attacks with Fetch Metadata (web.dev)
- Fetch Metadata Request Headers playground (secmetadata.appspot.com)