Sec-Fetch-User fetch metadata request header is only sent for requests initiated by user activation, and its value will always be
A server can use this header to identify whether a navigation request from a document, iframe, etc., was originated by the user.
|Header type||Fetch Metadata Request Header|
|Forbidden header name||yes (prefix
|CORS-safelisted request header||no|
The value will always be
?1. When a request is triggered by something other than a user activation, the spec requires browsers to omit the header completely.
If a user clicks on a page link to another page on the same origin, the resulting request would have the following headers:
Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1
|Fetch Metadata Request Headers |
BCD tables only load in the browser
- Related headers
- Protect your resources from web attacks with Fetch Metadata (web.dev)
- Fetch Metadata Request Headers playground (secmetadata.appspot.com)