What are Sec-Fetch headers and should I include them?

Sec-Fetch headers are security-focused headers sent by Chromium-based browsers to help servers understand request context.

The headers:

Sec-Fetch-Site: Relationship between requester and target:

• cross-site: Different domain
• same-origin: Same protocol, domain, and port
• same-site: Same site (different subdomain OK)
• none: Direct navigation (typing URL or bookmark)

Sec-Fetch-Mode: Type of request:

• navigate: Page navigation
• cors: CORS request
• no-cors: No CORS check needed
• same-origin: Same origin only

Sec-Fetch-User: Whether navigation was user-initiated:

• ?1: User initiated (click, address bar)
• Not present: Programmatic

Sec-Fetch-Dest: Request destination:

• document: Page load
• iframe: Iframe
• image: Image
• script: JavaScript
• style: CSS

When to include them:

Include if:

• Impersonating Chrome/Edge (Chromium-based)
• Site checks for them specifically
• Want maximum authenticity

Skip if:

• Impersonating Firefox or Safari (they don't send these)
• Scraping simple sites
• Want to minimize complexity

Example combinations:

Direct navigation to page:

Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document

Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document

Following a link from same site:

Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document

Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document

API request from JavaScript:

Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty

Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty

Implementation:

headers = {
    'User-Agent': 'Mozilla/5.0... Chrome/120.0.0.0',
    # ... other headers
    'sec-fetch-site': 'none',
    'sec-fetch-mode': 'navigate',
    'sec-fetch-user': '?1',
    'sec-fetch-dest': 'document'
}

headers = {
    'User-Agent': 'Mozilla/5.0... Chrome/120.0.0.0',
    # ... other headers
    'sec-fetch-site': 'none',
    'sec-fetch-mode': 'navigate',
    'sec-fetch-user': '?1',
    'sec-fetch-dest': 'document'
}

Common mistakes:

• Including Sec-Fetch headers with Firefox User-Agent
• Using wrong values for the navigation flow
• Inconsistent Sec-Fetch combinations

Browser version requirements:

Sec-Fetch headers were introduced in:

• Chrome 76+ (2019)
• Edge 79+ (2020)

Don't include them with older browser versions.

Recommendation:

For sophisticated anti-bot systems, include accurate Sec-Fetch headers matching your navigation pattern. For simpler sites, they're optional but won't hurt if correct.