Sec-Fetch-Site

The HTTP Sec-Fetch-Site request header is sent by the client to describe the relationship between the client’s origin and the origin in which the target resource resides.

Table of Contents

Usage

The HTTP Sec-Fetch-Site header is used to identify the relationship between the requestor’s origin and the resource’s origin. This is important for identifying cross-origin HTTP requests and handling them appropriately.

If the server opts to reject the HTTP request based on this HTTP header, the HTTP 403 Forbidden error message is to be returned by default.

The directives are cross-site, same-site, same-origin, and none.

The cross-site directive implies that the requestor and server have different sites. The same-site directive implies that they are co-hosted in the domain and/or subdomain, although they do not have to be hosted on the same port. The same-origin directive is used when the two endpoints have the same origin, which is the scheme, host, and port. Finally, the none directive means that it is a user-originated operation, such as typing a URL into the address bar or navigating by using a bookmark on the client’s browser.

Takeaway

The HTTP Sec-Fetch-Site request header is used to inform the server concerning the relationship between the requestor’s site and the target resource’s site.

See also

Last updated: June 20, 2022