Missing "Content-Type" Header (Functional Testing)
Description
The API does not set the "Content-Type" header in its responses. This header allows API clients to parse the API responses' bodies and validate that the type of data is what's expected. When this header is not returned by the API, clients have to "guess" the type of content in the request's body, which could lead to discrepancies and errors.
Remediation
Configure your API to set the appropriate 'Content-Type' header in all responses (e.g., 'application/json' for JSON responses). This ensures that API consumers can correctly parse the returned data. If you use a web framework or library, verify that it automatically includes the 'Content-Type' header; otherwise, add it manually in your response-handling logic. Regularly review and test endpoint responses to confirm that the header is accurate and consistently applied. Additionally, employ a Web Application Firewall (WAF) or intrusion detection system to monitor for requests that might exploit absent or incorrect 'Content-Type' values.
References
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Typehttps://owasp.org/www-community/attacks/Information_exposureSeverity
LOWOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
2.6
2.6