loke.dev
Header image for How I Finally Understood the 'Sec-Fetch' Headers: My Quest to Kill CSRF Without a Single Token

How I Finally Understood the 'Sec-Fetch' Headers: My Quest to Kill CSRF Without a Single Token

Discover why the browser's own metadata is the most powerful—and most overlooked—tool in your web security arsenal for protecting APIs without the overhead of traditional tokens.

· 4 min read

I spent three hours debugging a CSRF token mismatch because of a weird clock skew issue on a staging server. That was the moment I realized that if I had to manage one more hidden input field or custom header just to prove a request came from *my own site*, I was going to lose my mind.

For years, we’ve been told that CSRF (Cross-Site Request Forgery) is the boogeyman of the web, and the only way to kill it is by passing around secret tokens like high schoolers passing notes in class. But there's a better way. Browsers have quietly become much smarter, and they’ve started giving us the answers to the "is this request legit?" test for free.

The Metadata Secret Sauce

Enter Fetch Metadata. These are a set of HTTP headers that start with Sec-Fetch-. The "Sec" stands for forbidden header—meaning as a developer, you can't touch them with JavaScript. The browser sets them, the browser controls them, and the browser doesn't lie about them.

If a malicious site tries to trigger a POST request to your API, the browser will dutifully attach headers that basically say, "Hey, this request originated from a totally different neighborhood."

Here are the four big players:

1. `Sec-Fetch-Site`: Tells you where the request came from (same-origin, same-site, cross-site, or none).
2. `Sec-Fetch-Mode`: Tells you the "vibe" of the request (navigate, cors, no-cors, etc.).
3. `Sec-Fetch-Dest`: Tells you what the requester actually wants (document, image, script, etc.).
4. `Sec-Fetch-User`: Tells you if a human actually clicked something (?1 for true).

Why 'same-origin' is your new best friend

In the old days, we had to check the Referer or Origin headers. But those are notoriously flaky. Sometimes they're stripped for privacy; sometimes they're just not there.

Sec-Fetch-Site is different. If a request is same-origin, it means the call is coming from your own domain. If it's cross-site, someone else is trying to talk to your server.

Instead of generating, storing, and validating a random string (the CSRF token), we can just ask the server: "Is this request coming from my own house?"

Implementation: The "Resource Isolation" Policy

Let’s look at how this looks in a real Node.js/Express app. You can drop this middleware in, and suddenly, most CSRF attacks are dead on arrival.

const csrfProtection = (req, res, next) => {
  const fetchSite = req.header('sec-fetch-site');

  // 1. Browsers that don't support Sec-Fetch (Legacy)
  // You might want a fallback or to just let them through if you're feeling risky.
  if (!fetchSite) return next();

  // 2. Allow same-origin, same-site, and non-web requests (like mobile apps)
  if (['same-origin', 'same-site', 'none'].includes(fetchSite)) {
    return next();
  }

  // 3. If it's cross-site, we only allow top-level navigations (GET requests to load a page)
  // This prevents malicious sites from POSTing data or using <iframe> to trick users.
  if (req.header('sec-fetch-mode') === 'navigate' && req.method === 'GET') {
    return next();
  }

  // 4. If we got here, it's a cross-site request trying to do something fishy.
  console.warn(`Blocked a potential CSRF attack from: ${req.header('origin')}`);
  return res.status(403).send('Action not allowed from external origins.');
};

app.use(csrfProtection);

The "But What About...?" Section

I know what you're thinking. "Is it really this simple?" Mostly, yes. But there are a few things to keep in mind.

What about Safari?
Safari was the late bloomer here. While Chrome and Firefox have supported these headers for years, Safari only recently jumped on the bandwagon (version 13+). If your user base is strictly on ancient hardware, you might still need those annoying tokens. But for 98% of the modern web? You're golden.

The 'none' value
You noticed 'none' in my code example. This happens when a request doesn't come from a website at all—like when you type the URL into your browser directly or when a mobile app hits your API. You usually want to allow these, unless you're building something extremely locked down.

Simple GETs are still okay
The logic here is: let people link to your site (that's a navigate request), but don't let them *submit* things to your site. A cross-site POST request will always be flagged as cross-site, and since it's not a navigate request, our middleware blocks it.

Why this beats tokens every time

1. Zero State: You don't need to store tokens in Redis or a database.
2. No Hidden Inputs: Your frontend code gets cleaner. No more <input type="hidden" name="_csrf" ...>.
3. Performance: Checking a string in a header is infinitely faster than a database lookup or a cryptographic sign/verify operation.
4. Decoupling: Your API doesn't need to know about the frontend's session state to verify the request's origin.

Wrapping Up

Security doesn't always have to be a layer of complexity you add on top of your app. Sometimes, it’s about realizing the browser is already doing the heavy lifting for you. By leveraging Sec-Fetch headers, you're not just making your life easier; you're building a more robust, state-free security model that's significantly harder for attackers to bypass.

Go ahead, delete those CSRF token generators. It feels amazing.