Sec-Fetch-User
Baseline 2023
Newly available
Since March 2023, this feature works across the latest devices and browser versions. This feature might not work in older devices or browsers.
The Sec-Fetch-User fetch metadata request header is only sent for requests initiated by user activation, and its value will always be ?1.
A server can use this header to identify whether a navigation request from a document, iframe, etc., was originated by the user.
| Header type | Fetch Metadata Request Header |
|---|---|
| Forbidden header name | yes (prefix Sec-) |
| CORS-safelisted request header | no |
Syntax
Sec-Fetch-User: ?1
Directives
The value will always be ?1. When a request is triggered by something other than a user activation, the spec requires browsers to omit the header completely.
Examples
If a user clicks on a page link to another page on the same origin, the resulting request would have the following headers:
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Specifications
| Specification |
|---|
| Fetch Metadata Request Headers # sec-fetch-user-header |
Browser compatibility
BCD tables only load in the browser
See also
-
Related headers
-
Protect your resources from web attacks with Fetch Metadata (web.dev)
-
Fetch Metadata Request Headers playground (secmetadata.appspot.com)