: This indicates the request originated from a completely different website (e.g., attacker.com trying to fetch data from yourbank.com ). Value: same-origin : The request started on your own site.
— Indicates the "how" (using the Fetch API/CORS).
: The browser adds sec-fetch-site: cross-site and sec-fetch-mode: navigate (or cors ).
Modern browsers include a set of HTTP request headers known as . These headers allow servers to make security decisions based on how a request was initiated and where it came from.
: A user on site-a.com clicks a button that sends a POST to site-b.com .
: The server sees cross-site on a sensitive POST action and rejects it because it knows this request didn't originate from its own trusted frontend. Summary of the Headers
: This is the most critical header in your list. It tells the server the relationship between the request initiator's origin and the target resource's origin.
— Indicates the "what" (data fetch, not an image or script).