Fetch Metadata Request Headers

This detector identifies missing or invalid Fetch Metadata request headers that browsers send to help servers distinguish between legitimate and potentially malicious cross-origin requests. The Sec-Fetch-Site header indicates the relationship between the request initiator and target origin. The Sec-Fetch-Mode header differentiates navigation requests from resource loading. The Sec-Fetch-Dest header specifies the intended use of the requested resource. The Sec-Fetch-User header indicates whether navigation was user-initiated. Servers can use these headers to implement resource isolation policies and reject suspicious cross-site requests.

Missing Fetch Metadata headers prevent servers from implementing effective defenses against cross-site request forgery, cross-site script inclusion, and timing attacks. Attackers can craft malicious cross-origin requests that appear indistinguishable from legitimate same-origin requests when these headers are absent or invalid. Without this metadata, servers cannot reliably determine whether requests originated from trusted contexts or potentially malicious third-party sites. This increases the attack surface for various cross-site attacks including CSRF, clickjacking, and unauthorized resource access.

Configure the server to validate Fetch Metadata headers and implement resource isolation policies. Reject requests with missing or invalid Sec-Fetch-Site values that indicate cross-site origins when same-site is expected. Ensure Sec-Fetch-Dest values match expected resource types for each endpoint. For sensitive operations, require Sec-Fetch-User to indicate user-initiated navigation. Valid Sec-Fetch-Dest values include audio, audioworklet, document, embed, empty, font, frame, iframe, image, manifest, object, paintworklet, report, script, serviceworker, sharedworker, style, track, video, worker, and xslt. Implement defense-in-depth by combining Fetch Metadata validation with other CSRF protections like SameSite cookies and anti-CSRF tokens.