diff --git a/cheatsheets/REST_Security_Cheat_Sheet.md b/cheatsheets/REST_Security_Cheat_Sheet.md index efdeab4c02..e5f6ba88d3 100644 --- a/cheatsheets/REST_Security_Cheat_Sheet.md +++ b/cheatsheets/REST_Security_Cheat_Sheet.md @@ -98,7 +98,7 @@ A REST request or response body should match the intended content type in the he ### Validate request content types -- Reject requests containing unexpected or missing content type headers with HTTP response status `406 Unacceptable` or `415 Unsupported Media Type`. +- Reject requests containing unexpected or missing content type headers with HTTP response status `406 Unacceptable` or `415 Unsupported Media Type`. For requests with `Content-Length: 0` no `Content-type` header is expected. - For XML content types ensure appropriate XML parser hardening, see the [XXE cheat sheet](XML_External_Entity_Prevention_Cheat_Sheet.md). - Avoid accidentally exposing unintended content types by explicitly defining content types e.g. [Jersey](https://jersey.github.io/) (Java) `@consumes("application/json"); @produces("application/json")`. This avoids [XXE-attack](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_%28XXE%29_Processing) vectors for example.