Table of Content
- Browser Compatibility
- How to modify Sec-Fetch-Mode header The Sec-Fetch-Mode request header is a security feature in the browser that helps with the enforcement of security measures for web requests. It is part of the Fetch Metadata Request Headers proposed by Google, which gives detailed information about the type of request that will be sent. This feature is crucial for helping protect against attacks such as Cross-Site Request Forgery (CSRF), Cross-Site Script Inclusion (XSSI), and resource timing attacks.
Sec-Fetch-Mode: cors Sec-Fetch-Mode: navigate Sec-Fetch-Mode: nested-navigate Sec-Fetch-Mode: no-cors Sec-Fetch-Mode: same-origin Sec-Fetch-Mode: websocket
The Sec-Fetch-Mode header has several directives:
cors: Fetch uses a CORS request.
navigate: Fetch uses navigate mode.
nested-navigate: Fetch uses nested navigate mode.
no-cors: Fetch uses a no-cors request.
same-origin: Fetch uses a same-origin request.
websocket: Fetch uses a websocket.
Here's an example of sending a GET request with a
Sec-Fetch-Mode set to cors:
GET /data HTTP/1.1 Host: example.com Sec-Fetch-Mode: cors
Note: The support may vary between different versions of the same browser.
How to modify Sec-Fetch-Mode header
ModHeader is a Chrome extension that allows you to modify and tweak request headers. To change the Sec-Fetch-Mode header using ModHeader, follow these steps:
- Install the ModHeader extension from the Chrome Web Store.
- Click on the ModHeader icon in the toolbar.
- In the
Request headerssection, input
- In the corresponding
Valuefield, enter the desired value (e.g., cors, navigate, no-cors, etc.).
- Now, all your requests will include the modified Sec-Fetch-Mode header.
This is useful for testing and debugging applications, as you can simulate different fetch modes without having to manually change your code. Please note that this should not be used as a method to bypass any security controls implemented by a website.