Fetch metadata request header

A fetch metadata request header is an {{Glossary("Request header", "HTTP request header")}} that provides additional information about the context from which the request originated. This allows the server to make decisions about whether a request should be allowed based on where the request came from and how the resource will be used.

With this information a server can implement a resource isolation policy, allowing external sites to request only those resources that are intended for sharing, and that are used appropriately. This approach can help mitigate common cross-site web vulnerabilities such as {{Glossary("CSRF")}}, Cross-site Script Inclusion (XSSI), timing attacks, and cross-origin information leaks.

These headers are prefixed with Sec-, and hence are {{Glossary("Forbidden request header", "forbidden request headers")}}. As such, they cannot be modified from JavaScript.

The fetch metadata request headers are:

• {{HTTPHeader("Sec-Fetch-Site")}}
• {{HTTPHeader("Sec-Fetch-Mode")}}
• {{HTTPHeader("Sec-Fetch-User")}}
• {{HTTPHeader("Sec-Fetch-Dest")}}

The following request headers are not strictly "fetch metadata request headers", as they are not in the same specification, but similarly provide information about the context of how a resource will be used. A server might use them to modify its caching behavior, or the information that is returned:

• {{HTTPHeader("Sec-Purpose")}}
• {{HTTPHeader("Service-Worker-Navigation-Preload")}}

See also

• Protect your resources from web attacks with Fetch Metadata (web.dev)
• Fetch Metadata Request Headers playground (secmetadata.appspot.com)
• List of all HTTP headers
• List of all HTTP headers > Fetch metadata request headers
• Related glossary terms:
  • {{Glossary("Representation header")}}
  • {{Glossary("HTTP_header","HTTP header")}}
  • {{Glossary("Response header")}}
  • {{Glossary("Request header")}}