# 严格的 Content-Type 检查 { #strict-content-type-checking }

默认情况下，FastAPI 对 JSON 请求体使用严格的 `Content-Type` 头检查。这意味着，JSON 请求必须包含有效的 `Content-Type` 头（例如 `application/json`），其请求体才会被按 JSON 解析。

## CSRF 风险 { #csrf-risk }

此默认行为在一个非常特定的场景下，可防御一类跨站请求伪造（CSRF）攻击。

这类攻击利用了浏览器的一个事实：当请求满足以下条件时，浏览器允许脚本在不进行任何 CORS 预检的情况下直接发送请求：

- 没有 `Content-Type` 头（例如使用 `fetch()` 携带 `Blob` 作为 body）
- 且不发送任何认证凭据。

这种攻击主要在以下情况下相关：

- 应用在本地（如 `localhost`）或内网中运行

        // Then
        NegotiateContextRequest[] contexts = request.getNegotiateContexts();
        assertNotNull(contexts);
        assertEquals(2, contexts.length);

        // Verify preauth context
        assertTrue(contexts[0] instanceof PreauthIntegrityNegotiateContext);
        assertEquals(PreauthIntegrityNegotiateContext.NEGO_CTX_PREAUTH_TYPE, contexts[0].getContextType());

        // Verify encryption context

    }

    /**
     * Set the create contexts for this request
     * @param contexts the create contexts to set
     */
    public void setCreateContexts(CreateContextRequest[] contexts) {
        this.createContexts = contexts;
    }

    /**
     * Add a create context to this request
     * @param context the create context to add
     */

	if *flagCheck {
		// slow, not worth repeating in -check
		t.Skip("skipping with -check set")
	}
	testenv.MustHaveGoBuild(t)
	context := new(build.Context)
	*context = build.Default
	context.Dir = filepath.Join(testenv.GOROOT(t), "src")

	w := NewWalker(context, context.Dir)
	for _, pkg := range w.stdPackages {
		if strings.HasPrefix(pkg, "vendor/") || strings.HasPrefix(pkg, "golang.org/x/") {

# Chequeo estricto de Content-Type { #strict-content-type-checking }

Por defecto, **FastAPI** usa un chequeo estricto del header `Content-Type` para request bodies JSON, esto significa que las requests JSON deben incluir un header `Content-Type` válido (p. ej. `application/json`) para que el request body se parse como JSON.

## Riesgo de CSRF { #csrf-risk }

# Строгая проверка HTTP-заголовка Content-Type { #strict-content-type-checking }

По умолчанию **FastAPI** использует строгую проверку HTTP-заголовка `Content-Type` для JSON-тел запросов. Это означает, что JSON-запросы должны включать корректный заголовок `Content-Type` (например, `application/json`), чтобы тело запроса было обработано как JSON.

## Риск CSRF { #csrf-risk }

            throw new CIFSException("Preauth integrity context is invalid for session: " + sessionId);
        }

        try {
            byte[] newHash = calculateHash(context.getCurrentHash(), messageData, context.getHashAlgorithm());
            context.updateHash(newHash);

            log.debug("Updated preauth hash for session {} with {} bytes of data", sessionId, messageData.length);

 */
package jcifs;

import java.net.URLStreamHandler;

/**
 * Encapsulation of client context
 *
 *
 * A context holds the client configuration, shared services as well as the active credentials.
 *
 * Usually you will want to create one context per client configuration and then
 * multiple sub-contexts using different credentials (if necessary).
 *

  // Set up distributed execution environment on local and remote tasks.
  // When `reset_context` is true, initialize new cluster context state based
  // on cluster configurations provided in `server_def`; otherwise, update
  // existing context state with the provided `server_def`. Contexts created
  // on remote tasks will be considered stale and garbage collected after
  // `keep_alive_secs` of inactivity.

    @Test
    @DisplayName("Should return negotiate contexts")
    void testGetNegotiateContexts() throws Exception {
        // Given
        NegotiateContextResponse[] contexts = new NegotiateContextResponse[2];
        contexts[0] = new EncryptionNegotiateContext();
        contexts[1] = new PreauthIntegrityNegotiateContext();
        setPrivateField(response, "negotiateContexts", contexts);

        // When