Table of Content
The Sec-Purpose header is an HTTP response header used to notify user-agents about the purpose for which the request was initiated. It is security-related and is not visible in the Fetch and Resource Timing APIs. As such, this header categorizes requests according to various purposes like prefetch, document, object, report, fetch, etc., enabling better control over request priorities and content security policy enforcement.
To utilize the Sec-Purpose header, you must include it in your HTTP response header as follows:
Sec-Purpose: prefetch | document | object | report | fetch
The Sec-Purpose header includes several directives which denote the purpose of the request. These include:
prefetch: Used for requests aimed at fetching resources intended for future navigation.
document: Utilized for navigating to a page.
object: Used for requests that load resource fetched as a result of processing the 'object' HTML tag.
report: Applicable for requests that deliver reports about violations of various types of policies.
fetch: Utilized for general resource fetches.
An example of a Sec-Purpose header in an HTTP response would look like:
HTTP/1.1 200 OK
This indicates that the response was generated following a navigation to a new page.
Please note that the support can change over time and it is advised to test and confirm the compatibility frequently.
How to modify Sec-Purpose header
ModHeader is a browser extension that enables you to modify headers on the fly during browsing. To modify the Sec-Purpose header using ModHeader, follow these steps:
- First, install the ModHeader extension from your browser’s extension store.
- In the ModHeader extension, enter 'Sec-Purpose' into the 'Request Header' name box.
- For the Value box, enter the desired purpose (
- Now, any subsequent requests from the page will have the newly defined Sec-Purpose header.
Modifying the Sec-Purpose header can be useful for testing how your website will react to different types of requests. It can also be beneficial in setting up and configuring website security policies, by simulating various request purposes and examining how they interact with existing policies.