Handling unknown Content-Type values can introduce security risks. For instance, a malicious payload might be treated as a harmless data type, leading to vulnerabilities such as cross-site scripting (XSS) or other security threats.
An API endpoint meant to return JSON accidentally responds with an HTML Content-Type due to a misconfiguration or an error. If the response contains unsanitized user-generated content, attackers could embed malicious JavaScript in the response. When processed by the client, this script might execute in the user’s browser, resulting in a cross-site scripting (XSS) attack. Properly documenting and validating Content-Type values would prevent such an attack by ensuring strict adherence to the intended response formats.
