`Sec-Fetch-*` Header Decoder

The Fetch Metadata headers tell your server how a request was made — was it a top-level nav, a fetch from your own page, an iframe load from a foreign origin, an image preload? Paste raw request headers (or build one with the picker), and decode each value, classify the request, and generate a resource-isolation policy snippet that rejects the suspicious combinations.

Parse

Build

Paste request headers

Presets

Build a request

Dest

Mode

Site

User

Storage-Access

Generated headers

Decoded

Classification

Resource Isolation Policy snippet

Drop this into a middleware to reject browser-originated requests that no legitimate page would make. The standard Fetch Metadata isolation policy blocks cross-site nav into non-navigatable destinations and cross-site embeds of sensitive endpoints.

Express / Node

Nginx

Value reference

Header	Values	Meaning
`Sec-Fetch-Dest`	`empty, document, iframe, image, script, style, font, audio, video, worker, manifest, …`	The destination — what element / API initiated the request.
`Sec-Fetch-Mode`	`cors, no-cors, same-origin, navigate, websocket`	The request mode (e.g. how CORS rules apply).
`Sec-Fetch-Site`	`same-origin, same-site, cross-site, none`	Relationship between the initiator origin and the target origin. `none` = user typed the URL.
`Sec-Fetch-User`	`?1` (always — omitted otherwise)	Only set on navigations triggered by a user gesture.
`Sec-Fetch-Storage-Access`	`none, active, inactive`	Whether the request would carry first-party cookies in a third-party context (Storage Access API).

Sec-Fetch-* Header Decoder

Decoded

Classification

Resource Isolation Policy snippet

Value reference

`Sec-Fetch-*` Header Decoder