Sec-Fetch-User
Request header Security

Overview

Sec-Fetch-User is a Fetch Metadata header the browser adds only to top-level document navigation (navigate) requests, indicating whether the navigation was triggered by a genuine user action (click, Enter, form submit — user activation). It is sent as ?1 only when true, and is entirely absent for automatic or script-triggered navigations.

Details

The header is a Structured Fields boolean and appears only in the ?1 form meaning true. When false (no user activation) the header itself is omitted, so the server judges the presence of a user gesture by 'whether the header exists'.

This helps distinguish unwanted automatic redirects/forced navigations from user-intended moves. For instance, in a sensitive flow you can require 'only navigations originating from a user click', or treat a script-triggered top-level navigation as a suspicious signal. Being a browser-managed value, it cannot be forged.

Sec-Fetch-User appears only on top-level navigations whose mode is navigate. It is absent on subresources (image, script, fetch, etc.), so it is meaningful only when interpreted alongside the other Sec-Fetch-* headers (Site, Mode, Dest).

Syntax

Sec-Fetch-User: ?1

e.g. Sec-Fetch-User: ?1

Directives / values

?1A Structured-Fields boolean true meaning this navigation was triggered by user activation (click, Enter, etc.); only sent in this form.

Notes

Related headers

Related status codes

Specification