In that case **this attack / risk doesn't apply to you**.

This risk and attack is mainly relevant when the app runs on the **local network** and that is the **only assumed protection**.

## Allowing Requests Without Content-Type { #allowing-requests-without-content-type }

If you need to support clients that don't send a `Content-Type` header, you can disable strict checking by setting `strict_content_type=False`:

programs, this change should be a no-op, or result in a performance improvement.
In rare cases, programs that do not benefit from connection reuse might
experience performance degradation if they had been improperly allowing an
excessive amount of idle connections to linger; usually by setting
[Transport.MaxIdleConns] to `0` or using different [Client]s for different
requests, thereby bypassing [Transport.MaxIdleConns] limit. In these cases,

# Added GE support maven support to the maven build in .teamcity, per the GE docs, this dir is NOT to be committed
.teamcity/.mvn/.develocity/
/discoclient.properties

# Ignore local configuration files for asdf, allowing the JDK to be configured for project (https://asdf-vm.com)
.tool-versions

# AI 
# ---
.claude/CLAUDE.local.md
.claude/settings.local.json

    /** Configuration key for allowing localhost authentication bypass. */
    protected static final String SPNEGO_ALLOW_LOCALHOST = "spnego.allow.localhost";

    /** Configuration key for prompting NTLM authentication. */
    protected static final String SPNEGO_PROMPT_NTLM = "spnego.prompt.ntlm";

    /** Configuration key for allowing unsecure basic authentication. */

This policy protects our limited review budget, allowing us to invest our attention wisely.

Embedding a Java runtime in the distribution would provide some benefits, such as allowing the Launcher, Daemon and Workers to run on it, removing the prerequisite of an installed Java runtime.
However, this does not fully remove the prerequisite, as the Wrapper itself would still need an installed Java runtime to execute.

如果你的应用部署在开放的互联网，你不会“信任网络”，也不会允许任何人不经认证就发送特权请求。

攻击者完全可以直接运行脚本向你的 API 发送请求，无需借助浏览器交互，因此你很可能已经对任何特权端点做好了安全防护。

在这种情况下，以上攻击/风险不适用于你。

该风险/攻击主要发生在应用运行于本地网络、且“仅依赖网络隔离作为保护”的场景。

## 允许无 Content-Type 的请求 { #allowing-requests-without-content-type }

如果你需要兼容不发送 `Content-Type` 头的客户端，可以通过设置 `strict_content_type=False` 来关闭严格检查：

{* ../../docs_src/strict_content_type/tutorial001_py310.py hl[4] *}

如果你的應用部署在公開的網際網路上，你不會「信任網路」而允許任何人在未經身分驗證的情況下發送具權限的請求。

攻擊者可以直接執行腳本向你的 API 發送請求，無需透過瀏覽器互動，因此你多半已經對任何具權限的端點做了防護。

在這種情況下，這種攻擊／風險不適用於你。

此風險與攻擊主要與應用只在本機或內部網路上執行，且「僅依賴此為保護」的情境相關。

## 允許沒有 Content-Type 的請求 { #allowing-requests-without-content-type }

若你需要支援未送出 `Content-Type` 標頭的客戶端，可以將 `strict_content_type=False` 以停用嚴格檢查：

{* ../../docs_src/strict_content_type/tutorial001_py310.py hl[4] *}

攻撃者は単にスクリプトを実行して API にリクエストを送れます。ブラウザを介する必要がないため、すでに特権エンドポイントは保護しているでしょう。

その場合、これはあなたには当てはまらない攻撃／リスクです。

このリスクと攻撃が主に問題になるのは、アプリがローカルネットワークで動作し、それだけが前提の保護となっている場合です。

## Content-Type なしのリクエストを許可する { #allowing-requests-without-content-type }

`Content-Type` ヘッダーを送らないクライアントをサポートする必要がある場合は、`strict_content_type=False` を設定して厳格チェックを無効化できます。

{* ../../docs_src/strict_content_type/tutorial001_py310.py hl[4] *}

       * if the task completed with an error.
       */
      V get() throws CancellationException, ExecutionException, InterruptedException {

        // Acquire the shared lock allowing interruption.
        acquireSharedInterruptibly(-1);
        return getValue();
      }

      /**
       * Implementation of the actual value retrieval. Will return the value on success, an