A fetch metadata request header is an HTTP request header that provides additional information about the context from which the request originated. This allows the server to make decisions about whether a request should be allowed based on where the request came from and how the resource will be used.
With this information a server can implement a resource isolation policy, allowing external sites to request only those resources that are intended for sharing, and that are used appropriately. This approach can help mitigate common cross-site web vulnerabilities such as CSRF, Cross-site Script Inclusion (XSSI), timing attacks, and cross-origin information leaks.
These headers are prefixed with Sec-, and hence are forbidden request headers. As such, they cannot be modified from JavaScript.
The following request headers are not strictly "fetch metadata request headers", as they are not in the same specification, but similarly provide information about the context of how a resource will be used.
A server might use them to modify its caching behavior, or the information that is returned:
