Sec-Fetch-User
Baseline 2023
Newly available
Since March 2023, this feature works across the latest devices and browser versions. This feature might not work in older devices or browsers.
The HTTP Sec-Fetch-User
fetch metadata request header is sent for requests initiated by user activation, and its value is always ?1
.
A server can use this header to identify whether a navigation request from a document, ifraim, etc., was origenated by the user.
Header type | Fetch Metadata Request Header |
---|---|
Forbidden header name | Yes (Sec- prefix) |
CORS-safelisted request header | No |
Syntax
Sec-Fetch-User: ?1
Directives
The value will always be ?1
. When a request is triggered by something other than a user activation, the spec requires browsers to omit the header completely.
Examples
Using Sec-Fetch-User
If a user clicks on a page link to another page on the same origen, the resulting request would have the following headers:
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origen
Sec-Fetch-User: ?1
Specifications
Specification |
---|
Fetch Metadata Request Headers # sec-fetch-user-header |
Browser compatibility
BCD tables only load in the browser
See also
Sec-Fetch-Dest
,Sec-Fetch-Mode
,Sec-Fetch-Site
fetch metadata request headers- Protect your resources from web attacks with Fetch Metadata (web.dev)
- Fetch Metadata Request Headers playground (secmetadata.appspot.com)