Skip to main content Skip to docs navigation
View on GitHub

Fetch Metadata Request Header

A fetch metadata request header is an HTTP request header that provides additional information about the context from which the request originated. This allows the server to make decisions about whether a request should be allowed based on where the request came from and how the resource will be used.

On this page

With this information a server can implement a resource isolation policy , allowing external sites to request only those resources that are intended for sharing, and that are used appropriately. This approach can help mitigate common cross-site web vulnerabilities such as CSRF , Cross-site Script Inclusion('XSSI'), timing attacks, and cross-origin information leaks.

These headers are prefixed with Sec- , and hence have forbidden header names . As such, they cannot be modified from JavaScript.

The fetch metadata request headers are:

The following request headers are not strictly "fetch metadata request headers", as they are not in the same specification, but similarly provide information about the context of how a resource will be used. A server might use them to modify its caching behavior, or the information that is returned:

See also

Updated on April 20, 2024 by Datarist.