Sec-Fetch-Dest

The HTTP Sec-Fetch-Dest request header informs the server concerning how the resource will be used.

Usage

The HTTP Sec-Fetch-Dest request header is used by servers to assess whether the target resource is appropriate given the intended usage. For example, if the intended use is as an image, it expected not to be data that corresponds to an audio file. The intended use is also referred to as the "destination".

The possible directives are:

  • audio: The intended usage is audio data.
  • audioworklet: The resource is intended for use by an audio worklet.
  • document: After clicking a link, the user expects to use the resource as an HTML or XML document.
  • embed: The destination type for this resource is embedded content.
  • empty: An empty string is the intended destination, although it is used for destinations that do not have a value of their own. Examples of this are WebSocket, XMLHttpRequest, and more.
  • font: The destination type is a font, which may have originated from a CSS.
  • frame: The destination is a frame, which may have originated from a CSS.
  • iframe: The destination is an iframe, which may have originated from a CSS.
  • image: The intended use is as an image.
  • manifest: The intended use is as a manifest.
  • object: The destination type is an object.
  • paintworklet: The intended use is as a paint worklet.
  • report: The destination is a report, such as a content security policy report.
  • script: The intended use is as a script.
  • serviceworker: The destination type is a service worker.
  • sharedworker: The destination type is a shared worker.
  • style: The destination is a style, possibly originating from a CSS.
  • track: The track type is an HTML text track.
  • video: The resource is expected to be used as a video.
  • worker: The destination type is a worker.
  • xslt: The intended use is as an XLST transform.

Example

In this example, a cross-site HTTP request generated an audio file that include the following three HTTP headers:

Request

Sec-Fetch-Dest: audio
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors

Takeaway

The HTTP Sec-Fetch-Dest request header is sent by a client to inform a server as to the purpose of the HTTP request. Ultimately, it reveals the type of resource it needs and the server can determine whether the target resource is appropriate for the destination.

See also

Last updated: June 20, 2022