files/en-us/web/http/reference/headers/sec-fetch-user/index.md
The HTTP Sec-Fetch-User {{Glossary("fetch metadata request header")}} is sent for requests initiated by user activation, and its value is always ?1.
A server can use this header to identify whether a navigation request from a document, iframe, etc., was originated by the user.
<table class="properties"> <tbody> <tr> <th scope="row">Header type</th> <td>{{Glossary("Fetch Metadata Request Header")}}</td> </tr> <tr> <th scope="row">{{Glossary("Forbidden request header")}}</th> <td>Yes (<code>Sec-</code> prefix)</td> </tr> <tr> <th scope="row"> {{Glossary("CORS-safelisted request header")}} </th> <td>No</td> </tr> </tbody> </table>Sec-Fetch-User: ?1
The value will always be ?1. When a request is triggered by something other than a user activation, the spec requires browsers to omit the header completely.
If a user clicks on a page link to another page on the same origin, the resulting request would have the following headers:
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
{{Specifications}}
{{Compat}}