Content-Type Header
The Content-Type header declares the format of the request or response body. For responses, it tells the browser how to parse the body. For requests, it tells the server what format the body is in. Getting it wrong causes parse errors and can trigger CORS preflights unexpectedly.
Common Content-Type values
| Value | Used for |
|---|---|
application/json | JSON API requests and responses |
text/html; charset=utf-8 | HTML pages |
application/x-www-form-urlencoded | HTML form submissions |
multipart/form-data | File uploads |
text/plain | Plain text |
application/octet-stream | Binary file downloads |
Why it triggers CORS preflight
Browsers only skip the CORS preflight for POST requests with "simple" Content-Type values: application/x-www-form-urlencoded, multipart/form-data, or text/plain.
Any POST with Content-Type: application/json triggers a preflight. This is why JSON APIs require explicit CORS preflight handling even for POST.
Security: X-Content-Type-Options: nosniff
Without this header, browsers "sniff" the content type by looking at the actual content, ignoring what Content-Type says. This can cause security issues — an image file could be interpreted as JavaScript. Always set:
X-Content-Type-Options: nosniff
Common mistake
Returning JSON without setting Content-Type to application/json — some clients handle this, but some JavaScript fetch clients and all strictly typed parsers will reject it.
Scan your response headers — HeadersFixer →