Skip to content

Content-Type header

Description

The Content-Type header was either missing or empty.

Remediation

Ensure your server sets the specific and appropriate Content-Type value for the delivered content.

GraphQL Specific

Apollo Ensure that the Apollo server framework is configured to include the 'Content-Type' header with the appropriate media type (e.g., 'application/json' for JSON responses) in all responses. This can typically be achieved by setting up middleware that sets the header or by configuring the response object directly within your resolver functions.
Yoga Ensure that the Yoga framework engine properly sets the 'Content-Type' header to the appropriate media type (e.g., 'application/json' for JSON responses) for all responses. This can help mitigate issues such as MIME type confusion attacks. Additionally, validate and sanitize all input to prevent content sniffing and other injection attacks.
Awsappsync Ensure that the 'Content-Type' header is set to 'application/json' for all JSON-based HTTP responses to prevent MIME type confusion attacks. In AWS AppSync, configure the response mapping template to set the 'Content-Type' header appropriately for the returned content.
Graphqlgo Ensure that the Content-Type header is set to 'application/json' for all GraphQL requests to properly interpret the incoming queries.
Graphqlruby Ensure that the Content-Type header is set to 'application/json' for all GraphQL requests to prevent content sniffing and reduce the risk of CSRF attacks. In the GraphQL Ruby framework, you can enforce this by using a before_action callback in your controller to check the Content-Type of incoming requests or by using a middleware that asserts the correct Content-Type header.
Hasura Ensure that the Content-Type header is set correctly for all responses. For Hasura GraphQL engine, configure the server to use 'application/json' as the Content-Type for JSON responses and 'application/graphql' for GraphQL responses. This can help prevent MIME type confusion and potential security issues.
Agoo Ensure the 'Content-Type' header is set appropriately in the Agoo framework to specify the media type of the resource being sent.
Ariadne Ensure the 'Content-Type' header is set appropriately in the Ariadne framework to specify the media type of the resource being sent.
Caliban Ensure the 'Content-Type' header is properly set to 'application/json' for JSON responses in the Caliban framework engine.
Dgraph Ensure the 'Content-Type' header is set to 'application/json' for API requests in the Dgraph framework to properly indicate the format of the data being sent.
Dianajl Ensure the 'Content-Type' header is properly set to 'application/json' for all responses in the DianaJL framework engine.
Directus Ensure the 'Content-Type' header is properly set in the Directus framework to specify the media type of the resource being sent, such as 'application/json' for JSON data.
Flutter Ensure the 'Content-Type' header is set appropriately in HTTP requests by using the 'headers' property in Flutter's 'http' package to specify the correct MIME type, such as 'application/json' for JSON data.
Graphene Ensure the 'Content-Type' header is set to 'application/json' for all responses in the Graphene framework to properly indicate the media type of the resource.
Graphqlapiforwp Ensure the 'Content-Type' header is set to 'application/json' for all GraphQL API requests in the GraphQL API for WordPress framework to ensure proper content negotiation and security.
Graphqlgophergo Ensure the 'Content-Type' header is set to 'application/json' for GraphQL requests in the Gopher framework.
Graphqljava Ensure the 'Content-Type' header is set to 'application/json' for all GraphQL requests in the graphql-java framework to properly handle request payloads.
Graphqlphp Ensure the 'Content-Type' header is set to 'application/json' for all GraphQL requests in the graphqlphp framework.
Graphqlyoga Ensure the 'Content-Type' header is set to 'application/json' for all GraphQL requests in the GraphQL Yoga framework to properly handle incoming requests.
Hypergraphql Ensure the 'Content-Type' header is set to 'application/json' for all HTTP responses in the Hypergraphql framework engine.
Jaal Ensure the 'Content-Type' header is properly set to 'application/json' for all responses in the Jaal framework engine to prevent content-type sniffing and ensure correct content interpretation.
Juniper Ensure the 'Content-Type' header is properly set in HTTP responses to specify the media type of the resource, enhancing security and compatibility in the Juniper framework engine.
Lacinia Ensure the `Content-Type` header is properly set in the Lacinia framework engine to specify the media type of the resource being sent.
Lighthouse Ensure the 'Content-Type' header is properly set to indicate the media type of the resource, such as 'application/json' for JSON responses.
Mercurius Ensure the 'Content-Type' header is properly set in the Mercurius framework to specify the media type of the resource being sent, such as 'application/json' for JSON responses.
Morpheusgraphql Ensure the 'Content-Type' header is properly set to 'application/json' for all responses in the Morpheus GraphQL framework engine.
Qglgen Ensure the 'Content-Type' header is properly set in the gqlgen framework by configuring the server to include the appropriate 'Content-Type' value, such as 'application/json', in the HTTP response headers.
Sangria Ensure the `Content-Type` header is set to `application/json` for all responses in the Sangria framework to properly indicate the media type of the resource.
Shopify Ensure the 'Content-Type' header is properly set to 'application/json' for API requests in the Shopify framework to prevent content-type sniffing and ensure correct data processing.
Stepzen Ensure the 'Content-Type' header is set to 'application/json' in the StepZen framework engine to properly handle JSON data.
Strawberry Ensure the 'Content-Type' header is properly set to 'application/json' for JSON responses in the Strawberry framework engine.
Tartiflette Ensure the 'Content-Type' header is properly set to 'application/json' in the Tartiflette framework engine to prevent issues with content negotiation and data processing.
Wpgraphql Ensure the 'Content-Type' header is set to 'application/json' for all responses in the WPGraphQL framework to prevent content-type sniffing and ensure proper handling of JSON data.

REST Specific

Asp_net Ensure that all responses from the ASP.NET application explicitly set the 'Content-Type' header to the appropriate MIME type. For example, use 'Response.ContentType = "application/json";' when returning JSON data.
Ruby_on_rails Ensure that your Ruby on Rails application explicitly sets the 'Content-Type' header for each response. Use the 'respond_to' block or 'render' method to set the correct 'Content-Type'. For example, use 'render json: @object, content_type: 'application/json'' for JSON responses.
Next_js Ensure that all server-side responses include a proper `Content-Type` header. In Next.js, you can set headers by using the `res.setHeader` method in API routes or server-side functions. For example, to set the `Content-Type` for a JSON response, use `res.setHeader('Content-Type', 'application/json')` before sending the response.
Laravel In Laravel, ensure that responses from the server explicitly set the 'Content-Type' header to the appropriate MIME type. For JSON responses, use the 'response()->json()' method, which automatically sets the 'Content-Type' header to 'application/json'. For other content types, use the 'header()' method on the response object to set the 'Content-Type' correctly. For example, for HTML content, you can use 'response($content)->header('Content-Type', 'text/html')'. Always validate and sanitize input data to prevent content sniffing attacks.
Express_js Ensure that all responses from the Express.js application explicitly set the 'Content-Type' header to the appropriate MIME type. For JSON responses, use 'res.type('application/json')' before sending the response to correctly set the header.
Django Ensure that all responses from the Django application explicitly set the 'Content-Type' header. Use the 'HttpResponse' object's 'content_type' argument to set the appropriate MIME type, such as 'application/json' for JSON responses, or 'text/html' for HTML responses.
Symfony In Symfony, ensure that the response object sets the 'Content-Type' header to the appropriate MIME type before returning it. For example, use ' extbackslash Symfony extbackslash Component extbackslash HttpFoundation extbackslash Response' to set the header: ' extdollar response->headers->set('Content-Type', 'application/json');' if you are returning JSON data.
Spring_boot Ensure that all responses from the Spring Boot application explicitly set the 'Content-Type' header. This can be achieved by configuring the HttpMessageConverters or by using the '@ResponseBody' annotation on controller methods to automatically set the header based on the returned object type. For any manual response setting, use 'HttpServletResponse.setContentType()' to specify the correct MIME type.
Flask Ensure that all responses from the Flask application explicitly set the 'Content-Type' header to the appropriate MIME type. For example, use 'response.content_type = 'application/json'' for JSON responses.
Nuxt Ensure that all server responses include a proper 'Content-Type' header. In Nuxt.js, you can set headers using the 'nuxt.config.js' file or within your API routes. For example, use 'res.setHeader('Content-Type', 'application/json')' for JSON responses.
Fastapi Ensure that all responses from FastAPI endpoints explicitly set the `Content-Type` header to the appropriate MIME type. For JSON responses, use `Response(content, media_type='application/json')` or utilize FastAPI's automatic JSON response conversion by returning Python dictionaries or Pydantic models.
Frappe Ensure the 'Content-Type' header is set appropriately in HTTP responses to specify the media type of the resource, such as 'application/json' for JSON data, to prevent content-type sniffing and ensure proper handling by clients.
Genzio Ensure the 'Content-Type' header is set to 'application/json' for JSON responses in the Genzio framework engine.
Gin Ensure the 'Content-Type' header is set correctly in the Gin framework by using the 'c.Header("Content-Type", "application/json")' method to specify the appropriate content type for your responses.
Gorilla Ensure the 'Content-Type' header is properly set to 'application/json' for API responses in the Gorilla framework to prevent content-type sniffing and ensure correct data interpretation.
Hapi Ensure the 'Content-Type' header is set correctly in Hapi by using the 'h.response()' method to specify the content type, such as 'application/json' for JSON responses.
Hono Ensure the 'Content-Type' header is properly set to indicate the media type of the resource, such as 'application/json' for JSON responses, to prevent content-type sniffing and ensure correct processing by clients.
Jersey Ensure the 'Content-Type' header is set appropriately in the Jersey framework by using the @Produces and @Consumes annotations to specify the expected media type for request and response entities.
Koa Ensure the 'Content-Type' header is set correctly in Koa by using 'ctx.type' to specify the appropriate MIME type for the response.
Ktor Ensure the 'Content-Type' header is set correctly in the Ktor application by using the 'contentType' property in the response builder or by setting it explicitly in the route handlers.
Leptos Ensure the `Content-Type` header is properly set to `application/json` for JSON responses in the Leptos framework to prevent content-type sniffing and ensure correct content interpretation.
Macaron Ensure the 'Content-Type' header is set appropriately in the Macaron framework by using the 'macaron.Context' method to set the header, such as 'ctx.Resp.Header().Set("Content-Type", "application/json")' for JSON responses.
Phoenix Ensure the `Content-Type` header is set correctly in Phoenix controllers by using `put_resp_content_type/2` to specify the appropriate MIME type for your responses.
Redwoodjs Ensure the 'Content-Type' header is set appropriately in RedwoodJS by using middleware to specify the correct content type for your responses, such as 'application/json' for JSON APIs.
Rocket Ensure the 'Content-Type' header is set correctly in the Rocket framework by using the 'Content-Type' method to specify the appropriate MIME type for your response.
Sveltekit Ensure the `Content-Type` header is set correctly in SvelteKit by using the `setHeaders` function in your endpoints to specify the appropriate MIME type, such as `application/json` for JSON responses.

Configuration

Identifier: protocol/header_content_type

Examples

Ignore this check

checks:
  protocol/header_content_type:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API7:2023
  • OWASP LLM: LLM02:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 16

Score

  • CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVSS_SCORE: 4.3