Purpose
The HTTP Purpose request header is an unofficial HTTP header indicating a prefetch or prerender request triggered by the browser's speculative loading mechanisms rather than direct user navigation.
Usage
The Purpose header signals to the server when a
request originates from a prefetch or prerender action.
Browsers send the header on requests triggered by
<link rel="prefetch">, <link rel="prerender">, or
the speculation rules API. Servers
receiving this header
distinguish speculative loads from actual user
navigation, allowing them to skip analytics tracking,
defer expensive personalization, or serve lighter
responses for speculative requests.
The header has a long history across browser engines.
Firefox introduced X-Moz: prefetch. Safari adopted
X-Purpose: prefetch, then dropped the X- prefix to
Purpose: prefetch following IETF guidance on
deprecating experimental header naming. Chrome adopted
Purpose: prefetch as part of its NoState Prefetch
implementation.
The Purpose header is being replaced by
Sec-Purpose, which uses the Sec-
prefix to prevent JavaScript from spoofing the value
through fetch() or XMLHttpRequest. Chrome sent both Purpose and
Sec-Purpose during a transition period.
Chrome stopped sending Purpose, completing the
migration to Sec-Purpose.
The Purpose header also conflicts with the
CORS specification. Because Purpose is not a CORS
safelisted header, prefetch requests to cross-origin
resources trigger unnecessary preflight checks. The
Sec- prefix on Sec-Purpose avoids
this because Sec- prefixed headers are excluded from
CORS processing.
Note
Firefox sends X-Moz: prefetch instead of
Purpose. Firefox also supports
Sec-Purpose. Server-side code
detecting prefetch
requests across browsers needs to check for
Purpose, Sec-Purpose, and
X-Moz headers.
Values
prefetch
The value prefetch indicates the browser is fetching
a resource speculatively. This is the only defined
value. Both prefetch and prerender requests send this
same value in the Purpose header.
Example
A browser prefetching a page using the legacy header. Chrome stopped sending Purpose, but older Chromium-based browsers and some other implementations still include the header.
Purpose: prefetch
A Firefox browser prefetching a resource sends its vendor-specific header alongside Sec-Purpose.
X-Moz: prefetch
Sec-Purpose: prefetch
Server-side detection covering all browser implementations. Checking multiple header names ensures prefetch requests are identified regardless of browser.
Purpose: prefetch
Takeaway
The Purpose header identifies prefetch and
prerender requests from the browser's speculative
loading mechanisms. The header is being replaced by
Sec-Purpose, which avoids CORS
conflicts and prevents JavaScript spoofing through
the Sec- prefix.
See also
- Pass Sec-Purpose: prefetch with link rel=prefetch (Chrome Status)
- Stop sending Purpose: prefetch (Chrome Status)
- Sec-Purpose
- Sec-Fetch-Dest
- Sec-Fetch-Mode
- HTTP headers