While reading MDN documentation for the Content-Type response header, I’m wondering if X-Content-Type-Options: nosniff should be applied for all JSON:API responses.?.
In responses, a
Content-Typeheader tells the client what the content type of the returned content actually is. Browsers will do MIME sniffing in some cases and will not necessarily follow the value of this header; to prevent this behavior, the headerX-Content-Type-Optionscan be set tonosniff.
However, the MDN docs for X-Content-Type-Options says doing this can also apply other restrictions in browsers:
Note:
X-Content-Type-Optionsonly apply request-blocking due tonosnifffor request destinations of "script" and "style". However, it also enables Cross-Origin Read Blocking (CORB) for HTML, TXT, JSON and XML files (excluding SVGimage/svg+xml).