While reading MDN documentation for the
Content-Type response header, I’m wondering if
X-Content-Type-Options: nosniff should be applied for all JSON:API responses.?.
In responses, a
Content-Typeheader tells the client what the content type of the returned content actually is. Browsers will do MIME sniffing in some cases and will not necessarily follow the value of this header; to prevent this behavior, the header
X-Content-Type-Optionscan be set to
However, the MDN docs for
X-Content-Type-Options says doing this can also apply other restrictions in browsers:
X-Content-Type-Optionsonly apply request-blocking due to
nosnifffor request destinations of "
script" and "
style". However, it also enables Cross-Origin Read Blocking (CORB) for HTML, TXT, JSON and XML files (excluding SVG