Sec-Fetch-Site
Request header Security

Overview

Sec-Fetch-Site is a Fetch Metadata request header the browser adds automatically, revealing the relationship between the request's initiator and its target (same-origin, same-site, cross-site, or direct navigation). Servers can use it to identify cross-site requests and defend against CSRF and information leaks.

Details

The values are same-origin, same-site, cross-site, and none. none means a top-level navigation with no initiating document, such as typing in the address bar or opening a bookmark. Being a browser-managed forbidden header, it cannot be forged by script, making it a more trustworthy origin signal than Origin/Referer.

The archetypal defense built on it is a Resource Isolation Policy. For instance, a server can require 'sensitive state-changing endpoints only when Sec-Fetch-Site is same-origin' or 'reject cross-site requests that are not document navigations', blocking many CSRF, XSSI, and timing attacks at once.

An example rule: allow only requests where Sec-Fetch-Site is in {same-origin, none} or (it is a navigation with dest document), and reject other cross-site subresource requests with 403. But keep a fallback policy (e.g. existing CSRF tokens) when the header is absent, for legacy browsers and non-browser clients that do not send it.

Syntax

Sec-Fetch-Site: <same-origin | same-site | cross-site | none>

e.g. Sec-Fetch-Site: same-origin

Directives / values

same-originThe request initiator and target share the exact same origin.
same-siteSame site (registrable domain including scheme) though the origin may differ.
cross-siteThe request was initiated from a different site.
noneA user-initiated request (address bar, bookmark, etc.) with no initiating document.

Notes

Related headers

Related status codes

Specification