Skip to content

Sec-Fetch-Dest

Description

The Sec-Fetch-Dest request header is a security-related HTTP header used by web browsers to indicate the destination of a requested resource. It provides servers with information about the context in which a resource is being fetched, allowing them to implement security measures and optimize content delivery.

The Sec-Fetch-Dest header is part of the broader Fetch Metadata Request Headers set, which helps prevent cross-site request forgery (CSRF) attacks and improve request handling. By examining this header, a server can determine whether a request is for an image, script, style, or another resource type.

Syntax

The Sec-Fetch-Dest header follows this syntax:

Sec-Fetch-Dest: <destination>

The <destination> value specifies the type of resource being requested. Some common values include:

  • document – A top-level document (e.g., an HTML page).
  • script – A JavaScript file.
  • style – A CSS file.
  • image – An image file.
  • font – A font file.
  • iframe – An embedded frame.
  • video – A video resource.
  • audio – An audio resource.
  • websocket – A WebSocket connection.

Examples

Basic Usage in HTTP Requests

When a browser fetches a script file, the request may include the Sec-Fetch-Dest header as follows:

GET /app.js HTTP/2
Host: example.com
Sec-Fetch-Dest: script

Similarly, for an image request:

GET /image.png HTTP/2
Host: example.com
Sec-Fetch-Dest: image

Summary

The Sec-Fetch-Dest request header is a key security feature that helps servers identify the purpose of incoming requests. By understanding the context of a request, servers can implement stricter security policies, optimize content delivery, and mitigate security threats like cross-site request forgery (CSRF). Proper use of this header enhances web security while improving resource handling efficiency.