REST API Content-Type Validation
Understand why Content-Type is a very important header in the HTTP request and response structure, the possible security vulnerabilities around it, and how we mitigate those vulnerabilities.
Definition of HTTP requests and responses
Before we get to content type, let’s dissect HTTP requests and responses.
When you enter https://www.example.com/test.html in the browser, the browser creates an HTTP request:
GET /test.html HTTP/1.1
Host: www.example.com
This includes certain headers, such as User-Agent, Accept, and so on.
HTTP Structure
HTTP Structure | Required? | HTTP Request | HTTP Response |
Start line | Required | Method + resource path + protocol Version | Status code and description |
Message header CRLF | Optional | Request headers | Response headers |
CRLF | Required | CRLF | CRLF |
Message body | Optional | Optional body | Optional body |
The message header in the structure shown above can be further categorized into three types of headers:
- General, request, and representation headers for HTTP