Sec-Fetch-Mode Header

Table of Content

  • Syntax
  • Directives
  • Examples
  • Browser Compatibility
  • How to modify Sec-Fetch-Mode header The Sec-Fetch-Mode request header is a security feature in the browser that helps with the enforcement of security measures for web requests. It is part of the Fetch Metadata Request Headers proposed by Google, which gives detailed information about the type of request that will be sent. This feature is crucial for helping protect against attacks such as Cross-Site Request Forgery (CSRF), Cross-Site Script Inclusion (XSSI), and resource timing attacks.

Syntax

Sec-Fetch-Mode: cors
Sec-Fetch-Mode: navigate
Sec-Fetch-Mode: nested-navigate
Sec-Fetch-Mode: no-cors
Sec-Fetch-Mode: same-origin
Sec-Fetch-Mode: websocket

Directives

The Sec-Fetch-Mode header has several directives:

  • cors : Fetch uses a CORS request.
  • navigate : Fetch uses navigate mode.
  • nested-navigate : Fetch uses nested navigate mode.
  • no-cors : Fetch uses a no-cors request.
  • same-origin : Fetch uses a same-origin request.
  • websocket : Fetch uses a websocket.

Examples

Here's an example of sending a GET request with a Sec-Fetch-Mode set to cors:

GET /data HTTP/1.1
Host: example.com
Sec-Fetch-Mode: cors

Browser Compatibility

Browser Compatibility
Chrome Supported
Firefox Not Supported
Safari Not Supported
Opera Supported
Edge Supported

Note: The support may vary between different versions of the same browser.

How to modify Sec-Fetch-Mode header

ModHeader is a Chrome extension that allows you to modify and tweak request headers. To change the Sec-Fetch-Mode header using ModHeader, follow these steps:

  1. Install the ModHeader extension from the Chrome Web Store.
  2. Click on the ModHeader icon in the toolbar.
  3. In the Request headers section, input Sec-Fetch-Mode in the Name field.
  4. In the corresponding Value field, enter the desired value (e.g., cors, navigate, no-cors, etc.).
  5. Now, all your requests will include the modified Sec-Fetch-Mode header.

This is useful for testing and debugging applications, as you can simulate different fetch modes without having to manually change your code. Please note that this should not be used as a method to bypass any security controls implemented by a website.