Content-Type

Last updated: April 2026

Content-Type tells the browser (and server) what type of data is in the request or response body. Sending the wrong Content-Type causes parse failures, CORS preflights, and security issues.

Common response Content-Types

Content-Type: application/json              # JSON API response
Content-Type: text/html; charset=utf-8      # HTML page
Content-Type: text/plain; charset=utf-8     # plain text
Content-Type: application/javascript        # JavaScript file
Content-Type: text/css                      # CSS file
Content-Type: image/webp                    # WebP image
Content-Type: multipart/form-data           # file upload form

Content-Type triggers CORS preflight

Fetch requests with Content-Type: application/json are not "simple requests" and trigger a preflight OPTIONS request. If your server does not respond to OPTIONS, you see a CORS error.

# This triggers preflight:
fetch('/api/data', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify(data),
});

X-Content-Type-Options: nosniff

Without this header, browsers may ignore Content-Type and guess the type (MIME sniffing). This can cause security issues if an attacker uploads an HTML file served as text/plain.

X-Content-Type-Options: nosniff

Set in Nginx

location /api/ {
    add_header Content-Type "application/json" always;
    add_header X-Content-Type-Options "nosniff" always;
}