Sec-Fetch-Dest #

Description #

The Sec-Fetch-Dest request header is a security-related HTTP header used by web browsers to indicate the destination of a requested resource. It provides servers with information about the context in which a resource is being fetched, allowing them to implement security measures and optimize content delivery.

The Sec-Fetch-Dest header is part of the broader Fetch Metadata Request Headers set, which helps prevent cross-site request forgery (CSRF) attacks and improve request handling. By examining this header, a server can determine whether a request is for an image, script, style, or another resource type.

Syntax #

The Sec-Fetch-Dest header follows this syntax:

Sec-Fetch-Dest: <destination>

The <destination> value specifies the type of resource being requested. Some common values include:

• document – A top-level document (e.g., an HTML page).
• script – A JavaScript file.
• style – A CSS file.
• image – An image file.
• font – A font file.
• iframe – An embedded frame.
• video – A video resource.
• audio – An audio resource.
• websocket – A WebSocket connection.

Examples #

Basic Usage in HTTP Requests #

When a browser fetches a script file, the request may include the Sec-Fetch-Dest header as follows:

GET /app.js HTTP/2
Host: example.com
Sec-Fetch-Dest: script

Similarly, for an image request:

GET /image.png HTTP/2
Host: example.com
Sec-Fetch-Dest: image

Summary #

The Sec-Fetch-Dest request header is a key security feature that helps servers identify the purpose of incoming requests. By understanding the context of a request, servers can implement stricter security policies, optimize content delivery, and mitigate security threats like cross-site request forgery (CSRF). Proper use of this header enhances web security while improving resource handling efficiency.