API Penetration Testing

Why Appropriate Content-Type Header Matters In REST API Security: Ft. JSON XSS

Let's Explore the Content-Type Header Role in API Security

3 min readOct 15

Understanding REST APIs

Before diving into the specifics of the Content-Type header, let’s quickly recap what REST APIs are all about. REST is an architectural style for designing networked applications. It is based on a set of constraints that encourage the use of standardized HTTP methods like GET, POST, PUT, and DELETE for communication between a client (usually a web or mobile application) and a server.

In a RESTful interaction, data is exchanged using various HTTP headers, such as “Accept” and “Content-Type.” These headers provide essential information about the content and structure of the data being sent or received.

The Content-Type header is an essential part of HTTP headers used to convey information about the media type or format of the data in the body of an HTTP message, whether it’s a request or a response. This information is vital for both the client and server to interpret and handle the data correctly.

Cross-Site Scripting in REST API

In general, Cross-Site Scripting (XSS) typically does not work in JSON API responses when the “Content-Type” header is set to “application/json” because the JSON format inherently does not allow the execution of scripts embedded within the response data.


When a web browser receives a response with a Content-Type of “application/json,” it treats the content as pure data and does not execute any JavaScript code within it. Unlike HTML, which can include script tags that execute JavaScript code, JSON is not processed in the same way.

How I got the Cross-Site Scripting via JSON response

In the recent bug hunting activity, I discovered an API endpoint that returns a 404 status code along with the query parameter value reflected in the response body. But the injected javascript payload will not be executed on the browser due to the “application/json” content-type value in the response.