Fetch Metadata is a set of several HTTP request headers that provide additional context to the server about what the browser is going to do with the response, where the request has originated, and whether the request was user-activated. Based on these headers, the server may for example implement extra access control and similar.
Sec-Fetch-Dest
Sec-Fetch-Mode
Sec-Fetch-Site
Sec-Fetch-User
This is a live demo page, it displays exactly the headers your browser has sent. Speaking of which, your browser has sent the following Fetch Metadata headers for some of the most common request types:
Sec-Fetch-*
request headers for this page
Sec-Fetch-Dest
: not present
Sec-Fetch-Mode
: not present
Sec-Fetch-Site
: not present
Sec-Fetch-User
: not present
(This page was generated at 14:56:38)
Reloading the page is user-activated if it happens immediately or in less than 5 seconds,
click the buttons and watch the headers.
Sec-Fetch-*
request headers for an iframe
Reloading the iframe is user-activated if it happens immediately or in less than 5 seconds,
click the buttons and watch the Sec-Fetch-User
header.
Sec-Fetch-*
request headers for a <script>
tag
Sec-Fetch-Dest
: …
…
Sec-Fetch-Mode
: …
…
Sec-Fetch-Site
: …
…
Sec-Fetch-User
: …
…
Headers sent when downloading a script with a <script src="…"></script>
tag
Sec-Fetch-*
request headers for an <img>
tag
Reloading the image is not a navigation request and as such is not user-activated and will not send Sec-Fetch-User
.
Opening the image in a new tab will send different headers, notably the Sec-Fetch-Dest
header will be document
.
Sec-Fetch-*
request headers for an <embed>
tagtype
attribute