According to the OWASP Application Security Verification Standard:
V11.3 Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8).
According to the RFC for the application/json Media Type:
JSON text SHALL be encoded in Unicode. The default encoding is UTF-8.
Since the first two characters of a JSON text will always be ASCII characters [RFC0020], it is possible to determine whether an octet stream is UTF-8, UTF-16 (BE or LE), or UTF-32 (BE or LE) by looking at the pattern of nulls in the first four octets.
If your encoding is in fact UTF-8, this implies there is no security benefit to setting the Content-Type
header to application/json; charset=utf-8
instead of just application/json
.
Is it reasonable to make an exception to the OWASP rule for application/json
?