The actual problem - at server side we need to distinguish REST requests from other browser HTTP requests like image request, page request and etc. By saying "REST request" I mean a request made by JS utilities like XMLHTTPRequest or fetch; by saying "other browser requests" I mean requests generated when you open a webpage, a webpage loads images, sounds, video and etc.
So, when I encountered this problem I first started to look for some criteria that can help me reliably distinguish these kinds of requests and of course the first idea that came to me was headers - there must be some headers that are present on REST requests and absent on others (or vice versa or something else). A little investigation led me to understanding of the fact that my fetch requests has "Sec-Fetch-Dest" header set to "empty" and other browser generated requests has "Sec-Fetch-Dest" with other values. And since I found no exceptions for this rule I thought the problem is solved - on server side we just check if a request has "sec-fetch-dest" header and it has explicit value of "empty", and if yes then it is REST request; if not then some other automatically generated request. But then I googled sec-fetch-dest and found not so much mentionings of sec-fetch-dest and instantly thought that my solution is not that elegant or adequate as I thought, and maybe there is something else that people do to distinguish REST requests from generic requests.
Hence the question - is existence of "sec-fetch-dest: empty" header is a reliable criteria to tell REST requests from generic requests for a HTTPS web app? If not then what are the other options?
Thanks in advance!
PS: it may look like this old question is the same as mine - Sec-Fetch-Dest request header attribute to determine if it is a page, but it actually not the same
No idea which tags should this question have, edit please
Since nobody joined the conversation and thus there are no objections I think it's ok to say that in secured web apps a criteria of an HTTP request having "sec-fetch-dest" header set to "empty" may be reliably used to distinguish REST requests from other browser generated HTTP requests