Security Test: Content type¶

Description¶

Default Severity:

If the Content-Type header isn’t explicitly set to the expected value, it can lead to dangerous misinterpretation of what the response really is. For example, if a GraphQL API returns something other than JSON but the client assumes it’s valid JSON, it creates room for content sniffing, which may allow attackers to execute malicious code or tamper with data. Developers sometimes overlook setting the proper headers because they assume defaults will work or that response formats aren’t crucial, but this can cause your application to behave unpredictably, expose sensitive information, or even open doors for cross-site scripting attacks if browsers try to guess the content type incorrectly. It's a classic case of how small oversights can lead to bigger security issues if not fixed.

Reference:

https://spec.graphql.org/draft/#sec-Serialization-Format

Configuration¶

Identifier: protocol/graphql_content_type

Examples¶

All configuration available:

checks:
  protocol/graphql_content_type:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API7:2023
OWASP LLM Top 10	LLM02:2023
PCI DSS	`6.5.1`
GDPR	`Article-5`
SOC2	`CC6`
PSD2	`Article-97`
ISO 27001	`A.14.1`
NIST	`SP800-95`
FedRAMP	`SC-7`
CWE	`16`
CVSS Vector	`AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`
CVSS Score	`4.3`