Sec-Fetch-User
The HTTP Sec-Fetch-User request header indicates whether a navigation request was triggered by user activation.
Baseline: Limited availability
Supported in Chromium-based browsers (Chrome, Edge, Opera) and Firefox. webstatus.dev
Usage
The Sec-Fetch-User header is part of the Fetch Metadata Request Headers specification. Browsers include this header only on navigation requests where the user directly caused the navigation, such as clicking a link, submitting a form, or pressing a keyboard shortcut to navigate.
The header uses the
Structured Fields boolean
format. The
only value sent is ?1, meaning true. When no user
activation triggered the navigation, the browser omits the
header entirely rather than sending a false value. Automatic
navigations like <meta http-equiv="refresh">
Redirects and JavaScript-initiated navigations
without user gestures do not include this header.
Servers use Sec-Fetch-User alongside
Sec-Fetch-Site,
Sec-Fetch-Mode, and
Sec-Fetch-Dest to distinguish
legitimate user-initiated navigations from automated or
programmatic requests. A server protecting a sensitive
endpoint verifies both Sec-Fetch-User: ?1 and
Sec-Fetch-Site: same-origin before processing the
request, adding an extra layer of defense against
cross-site request forgery.
Values
?1
The ?1 value is a Structured Fields boolean
indicating true. The navigation was activated by a user
gesture: a click, tap, form submission, or keyboard
action. No other values exist for this header.
Example
A user clicks a link on the same site. The browser includes all four fetch metadata headers, with Sec-Fetch-User confirming user activation.
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
A user submits a form pointing to a same-site action URL. The form submission counts as user activation.
POST /submit HTTP/1.1
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
An automatic redirect triggered by JavaScript does not include the Sec-Fetch-User header because no user gesture initiated the navigation.
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Takeaway
The Sec-Fetch-User header signals whether a user gesture initiated a navigation, giving servers a reliable indicator to distinguish intentional visits from automated or programmatic navigations.