I'm trying to wrap my head around, why it is advised to validate the content-type
, sent by a client to a REST API.
OWASP states in their REST Security Cheat Sheet:
When POSTing or PUTting new data, the client will specify the Content-Type (e.g. application/xml or application/json) of the incoming data. The server should never assume the Content-Type; it should always check that the Content-Type header and the content are the same type. A lack of Content-Type header or an unexpected Content-Type header should result in the server rejecting the content with a 406 Not Acceptable response.
They never really state how a missing validation may be exploited. Of course it's better to validate the input, for the data parser's sake, but the header can be faked anyways by an attacker, right?
Why is the content-type
validation suggested and how could a missing validation be exploited?