Missing 'Content-Type' Header
What is it?
The API endpoint or server returned a response without the Content-Type header being set.
API responses are typically of type 'application/json'.
References
- OWASP API TOP-10 A7
- Setting JSON Content Type In Spring MVC
- Web API Request/Response Data Formats
- CWE-345
Test case FAQs
When is this test case applicable?
This is applicable for all API endpoints when the Baseline security category is enabled in test plans.
How does it work?
Responses sent by the API server are analyzed for the missing Content-Type header.
What is the solution?
Ensure each API endpoint is setting the specific and appropriate Content-Type value for the content being delivered.