Skip to content

Sec-Fetch-Site

Description

The Sec-Fetch-Site request header is a security-related HTTP header that indicates the relationship between the origin of the request and the target server. It is part of the Fetch Metadata Request Headers set and is used to help servers distinguish between same-origin, cross-site, and cross-origin requests.

This header helps servers implement security measures, such as preventing Cross-Site Request Forgery (CSRF) attacks, by identifying whether the request originated from the same site, a different site, or an unknown source. Based on this information, the server can decide whether to allow or block the request.

Syntax

The Sec-Fetch-Site header follows this syntax:

Sec-Fetch-Site: <site>

The <site> value specifies the request’s origin relationship and can have one of the following values:

  • none:
    The request was initiated by the user (e.g., entering a URL in the address bar) or by a service worker.
  • same-origin:
    The request originates from the same origin as the requested resource.
  • same-site:
    The request originates from the same site but a different origin (e.g., https://sub.example.com to https://example.com).
  • cross-site:
    The request originates from a completely different site.

Examples

Basic Usage in HTTP Requests

When a browser requests a resource from the same origin, it may include the Sec-Fetch-Site header as follows:

GET /data.json HTTP/2
Host: example.com
Sec-Fetch-Site: same-origin

For a request made from a different site:

GET /data.json HTTP/2
Host: example.com
Sec-Fetch-Site: cross-site

Summary

The Sec-Fetch-Site request header is a crucial security feature that helps servers determine the origin relationship of requests. By analyzing this header, servers can enforce stricter security policies to prevent malicious cross-site requests. Proper use of this header enhances web security, reduces vulnerabilities to CSRF attacks, and ensures that resources are accessed as intended.