I run into an issue where json:api requests are blocked by Web Application Firewall. The implemented rules come from OWASP project and here, application/vnd.api+json is not on the content-type default allow list.
Why is json:api not just sticking with plain application/json?
Does it make sense to propose adding application/vnd.api+json as default on the OWASP WAF rules project?
Many parties in implement those rules these days and it is painful to always start a discussion why the holy defaults must be overwritten.