Skip to main content

Content-Type header

Description

The Content-Type header was either missing or empty.

Remediation

Ensure your server sets the specific and appropriate Content-Type value for the delivered content.

GraphQL Specific

Apollo

Ensure that the Apollo server framework is configured to include the 'Content-Type' header with the appropriate media type (e.g., 'application/json' for JSON responses) in all responses. This can typically be achieved by setting up middleware that sets the header or by configuring the response object directly within your resolver functions.

Yoga

Ensure that the Yoga framework engine properly sets the 'Content-Type' header to the appropriate media type (e.g., 'application/json' for JSON responses) for all responses. This can help mitigate issues such as MIME type confusion attacks. Additionally, validate and sanitize all input to prevent content sniffing and other injection attacks.

Awsappsync

Ensure that the 'Content-Type' header is set to 'application/json' for all JSON-based HTTP responses to prevent MIME type confusion attacks. In AWS AppSync, configure the response mapping template to set the 'Content-Type' header appropriately for the returned content.

Graphqlgo

Ensure that the Content-Type header is set to 'application/json' for all GraphQL requests to properly interpret the incoming queries.

Graphqlruby

Ensure that the Content-Type header is set to 'application/json' for all GraphQL requests to prevent content sniffing and reduce the risk of CSRF attacks. In the GraphQL Ruby framework, you can enforce this by using a before_action callback in your controller to check the Content-Type of incoming requests or by using a middleware that asserts the correct Content-Type header.

Hasura

Ensure that the Content-Type header is set correctly for all responses. For Hasura GraphQL engine, configure the server to use 'application/json' as the Content-Type for JSON responses and 'application/graphql' for GraphQL responses. This can help prevent MIME type confusion and potential security issues.

REST Specific

Asp_net

Ensure that all responses from the ASP.NET application explicitly set the 'Content-Type' header to the appropriate MIME type. For example, use 'Response.ContentType = "application/json";' when returning JSON data.

Ruby_on_rails

Ensure that your Ruby on Rails application explicitly sets the 'Content-Type' header for each response. Use the 'respond_to' block or 'render' method to set the correct 'Content-Type'. For example, use 'render json: @object, content_type: 'application/json'' for JSON responses.

Next_js

Ensure that all server-side responses include a proper Content-Type header. In Next.js, you can set headers by using the res.setHeader method in API routes or server-side functions. For example, to set the Content-Type for a JSON response, use res.setHeader('Content-Type', 'application/json') before sending the response.

Laravel

In Laravel, ensure that responses from the server explicitly set the 'Content-Type' header to the appropriate MIME type. For JSON responses, use the 'response()->json()' method, which automatically sets the 'Content-Type' header to 'application/json'. For other content types, use the 'header()' method on the response object to set the 'Content-Type' correctly. For example, for HTML content, you can use 'response($content)->header('Content-Type', 'text/html')'. Always validate and sanitize input data to prevent content sniffing attacks.

Express_js

Ensure that all responses from the Express.js application explicitly set the 'Content-Type' header to the appropriate MIME type. For JSON responses, use 'res.type('application/json')' before sending the response to correctly set the header.

Django

Ensure that all responses from the Django application explicitly set the 'Content-Type' header. Use the 'HttpResponse' object's 'content_type' argument to set the appropriate MIME type, such as 'application/json' for JSON responses, or 'text/html' for HTML responses.

Symfony

In Symfony, ensure that the response object sets the 'Content-Type' header to the appropriate MIME type before returning it. For example, use ' extbackslash Symfony extbackslash Component extbackslash HttpFoundation extbackslash Response' to set the header: ' extdollar response->headers->set('Content-Type', 'application/json');' if you are returning JSON data.

Spring_boot

Ensure that all responses from the Spring Boot application explicitly set the 'Content-Type' header. This can be achieved by configuring the HttpMessageConverters or by using the '@ResponseBody' annotation on controller methods to automatically set the header based on the returned object type. For any manual response setting, use 'HttpServletResponse.setContentType()' to specify the correct MIME type.

Flask

Ensure that all responses from the Flask application explicitly set the 'Content-Type' header to the appropriate MIME type. For example, use 'response.content_type = 'application/json'' for JSON responses.

Nuxt

Ensure that all server responses include a proper 'Content-Type' header. In Nuxt.js, you can set headers using the 'nuxt.config.js' file or within your API routes. For example, use 'res.setHeader('Content-Type', 'application/json')' for JSON responses.

Fastapi

Ensure that all responses from FastAPI endpoints explicitly set the Content-Type header to the appropriate MIME type. For JSON responses, use Response(content, media_type='application/json') or utilize FastAPI's automatic JSON response conversion by returning Python dictionaries or Pydantic models.

Configuration

Identifier: protocol/header_content_type

Examples

Ignore this check

checks:
  protocol/header_content_type:
    skip: true

Score

  • Escape Severity: LOW

Compliance

  • OWASP: API7:2023

  • pci: 6.5.10

  • gdpr: Article-32

  • soc2: CC1

  • psd2: Article-95

  • iso27001: A.14.2

  • nist: SP800-53

  • fedramp: AC-4

Classification

  • CWE: 16

Score

  • CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVSS_SCORE: 4.3