From 39c50dc013944a0a27b4354c23f406956ac45971 Mon Sep 17 00:00:00 2001
From: Markus Heiser <markus.heiser@darmarIT.de>
Date: Mon, 30 Jun 2025 13:31:45 +0200
Subject: [PATCH] [fix] sec-fetch-* headers cannot be verified for non-secure
 requests (#4962)

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
---
 searx/botdetection/http_sec_fetch.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/searx/botdetection/http_sec_fetch.py b/searx/botdetection/http_sec_fetch.py
index 5f16d1d9b..f64ee4b2c 100644
--- a/searx/botdetection/http_sec_fetch.py
+++ b/searx/botdetection/http_sec_fetch.py
@@ -82,6 +82,12 @@ def filter_request(
     cfg: config.Config,
 ) -> werkzeug.Response | None:
 
+    if not request.is_secure:
+        logger.warning(
+            "Sec-Fetch cannot be verified for non-secure requests (HTTP headers are not set/sent by the client)."
+        )
+        return None
+
     # Only check Sec-Fetch headers for supported browsers
     user_agent = request.headers.get('User-Agent', '')
     if is_browser_supported(user_agent):