Inferensys

Glossary

Fetch Metadata

A set of HTTP request headers (`Sec-Fetch-Site`, `Sec-Fetch-Mode`, `Sec-Fetch-Dest`) that provide the server with context about the request's origin, allowing for precise rejection of cross-site scraping attempts.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
HTTP REQUEST HEADERS

What is Fetch Metadata?

A set of HTTP request headers that provide the server with contextual information about a request's origin, enabling precise security decisions against cross-site attacks and unauthorized scraping.

Fetch Metadata is a suite of HTTP request headers—Sec-Fetch-Site, Sec-Fetch-Mode, Sec-Fetch-Dest, and Sec-Fetch-User—that automatically expose the relationship between the requesting page and the target resource. These headers allow a server to distinguish between a user navigating directly to a page, a same-origin API call, and a malicious cross-site request initiated by a third-party script or embedded iframe.

For AI crawler identification, Fetch Metadata provides a robust, browser-enforced defense layer. By inspecting Sec-Fetch-Site: cross-site combined with Sec-Fetch-Mode: navigate, a server can programmatically reject scraping attempts where an automated browser is instrumented to traverse a domain from an external origin, blocking the request at the application layer before any content is served.

HTTP REQUEST CONTEXT

Core Characteristics of Fetch Metadata

Fetch Metadata headers provide the server with declarative context about a request's provenance, enabling precise security policies against cross-site scraping and injection attacks.

01

Sec-Fetch-Site

Declares the relationship between the request initiator's origin and the requested resource's origin.

  • same-origin: Request originates from the same site (e.g., navigation within your app)
  • same-site: Request comes from a different scheme but same registrable domain (e.g., http:// to https:// on same domain)
  • cross-site: Request originates from a completely different registrable domain
  • none: Request is user-initiated (e.g., typing a URL directly, bookmark click)

For AI crawler defense, rejecting all cross-site requests to sensitive API endpoints immediately blocks scraping tools that inject requests from external origins.

cross-site
Primary Block Target
02

Sec-Fetch-Mode

Indicates the request's initiation mode, revealing whether the browser expects a navigation, a resource load, or an API-style fetch.

  • navigate: Top-level document request (user clicking a link)
  • nested-navigate: Request for a nested browsing context like an iframe
  • no-cors: Opaque request with limited response access (image, script tags)
  • cors: Cross-origin request requiring CORS headers
  • websocket: Upgrade request for a WebSocket connection

AI scrapers often use no-cors mode to pull content without triggering CORS preflight checks. Blocking no-cors on HTML endpoints prevents silent data extraction.

no-cors
Scraper Indicator
03

Sec-Fetch-Dest

Specifies the intended destination of the fetched resource within the browser's processing pipeline.

  • document: Full HTML page (top-level navigation)
  • iframe: Embedded sub-document
  • script, style, image: Sub-resource loads
  • empty: Requests initiated via fetch() or XMLHttpRequest
  • audio, video, font, worker: Specialized resource types

Requests with dest: empty and site: cross-site are a strong signal of programmatic scraping. Legitimate browser navigations always carry dest: document or dest: iframe.

empty
API Call Indicator
04

Sec-Fetch-User

A boolean header indicating whether the request was triggered by a user activation (a click, tap, or keypress).

  • ?1: User-initiated action (genuine human interaction)
  • ?0: No user activation (automated or background request)
  • Absent: Header not sent (older browser or non-browser client)

Automated crawlers and headless browsers cannot simulate true user activation gestures. Requiring Sec-Fetch-User: ?1 on sensitive endpoints blocks bots that programmatically trigger navigation without real interaction events.

?0
Automation Signal
05

Combined Policy Enforcement

Fetch Metadata headers are most powerful when evaluated together as a composite signal. A single request carrying:

  • Sec-Fetch-Site: cross-site
  • Sec-Fetch-Mode: no-cors
  • Sec-Fetch-Dest: empty
  • Sec-Fetch-User: ?0

represents a near-certain automated scraping attempt with no legitimate browser use case. This combination can be rejected at the edge with zero false positives.

Deploy these policies in reverse proxies (NGINX, Envoy) or CDN edge workers to block scraping before it reaches origin infrastructure.

< 1 ms
Decision Latency
~0%
False Positive Rate
06

Browser Support & Limitations

Fetch Metadata headers are supported by all modern Chromium-based browsers (Chrome 76+, Edge 79+) and Firefox 90+. Safari added support in version 16.0.

Critical caveats for AI crawler defense:

  • Non-browser clients (Python requests, cURL, headless automation) may omit these headers entirely. Absence itself is a detection signal.
  • Spoofing is possible but requires the attacker to know your exact policy logic. Defense-in-depth with TLS fingerprinting (JA4) and IP reputation is essential.
  • Legitimate API consumers (mobile apps, server-to-server integrations) won't send Fetch Metadata. Maintain an allowlist for known partners.
FETCH METADATA

Frequently Asked Questions

Clear, technical answers to the most common questions about the Sec-Fetch header family and its role in mitigating unauthorized AI-driven data extraction.

Fetch Metadata is a set of HTTP request headers (Sec-Fetch-Site, Sec-Fetch-Mode, Sec-Fetch-Dest) that provide a server with contextual information about the browser's request initiation. These headers are automatically appended by the user agent and cannot be modified by JavaScript, making them a tamper-proof mechanism for distinguishing legitimate user navigation from malicious cross-site requests. By inspecting these headers, a server can determine if a request originated from the same origin, a same-site origin, or a completely unrelated cross-site origin, and then apply granular security policies to reject suspicious traffic before it reaches the application layer.

DETECTION METHODOLOGY COMPARISON

Fetch Metadata vs. Traditional Bot Detection

Comparing server-side Fetch Metadata header analysis with conventional client-interrogation techniques for identifying and blocking unauthorized AI crawlers.

FeatureFetch MetadataJavaScript FingerprintingCAPTCHA Challenges

Detection Layer

HTTP request headers (server-side)

Client-side JavaScript execution

Client-side challenge-response

Works on headless browsers

Requires JavaScript execution

Detects cross-site scraping

Computational overhead

Negligible

Moderate

High

User friction

Zero

Zero

Significant

Bypassable via browser automation

Privacy-preserving

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.