From 4fc4f86b364042021e1f05a6063209280cdb2a60 Mon Sep 17 00:00:00 2001 From: "j.koehoorn" Date: Wed, 2 Oct 2024 09:38:37 +0200 Subject: [PATCH] Clarify that requests with Content-Length: 0 do not require a Content-Type header --- cheatsheets/REST_Security_Cheat_Sheet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cheatsheets/REST_Security_Cheat_Sheet.md b/cheatsheets/REST_Security_Cheat_Sheet.md index efdeab4c02..e5f6ba88d3 100644 --- a/cheatsheets/REST_Security_Cheat_Sheet.md +++ b/cheatsheets/REST_Security_Cheat_Sheet.md @@ -98,7 +98,7 @@ A REST request or response body should match the intended content type in the he ### Validate request content types -- Reject requests containing unexpected or missing content type headers with HTTP response status `406 Unacceptable` or `415 Unsupported Media Type`. +- Reject requests containing unexpected or missing content type headers with HTTP response status `406 Unacceptable` or `415 Unsupported Media Type`. For requests with `Content-Length: 0` no `Content-type` header is expected. - For XML content types ensure appropriate XML parser hardening, see the [XXE cheat sheet](XML_External_Entity_Prevention_Cheat_Sheet.md). - Avoid accidentally exposing unintended content types by explicitly defining content types e.g. [Jersey](https://jersey.github.io/) (Java) `@consumes("application/json"); @produces("application/json")`. This avoids [XXE-attack](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_%28XXE%29_Processing) vectors for example.