默认情况下，FastAPI 对 JSON 请求体使用严格的 `Content-Type` 头检查。这意味着，JSON 请求必须包含有效的 `Content-Type` 头（例如 `application/json`），其请求体才会被按 JSON 解析。

## CSRF 风险 { #csrf-risk }

此默认行为在一个非常特定的场景下，可防御一类跨站请求伪造（CSRF）攻击。

这类攻击利用了浏览器的一个事实：当请求满足以下条件时，浏览器允许脚本在不进行任何 CORS 预检的情况下直接发送请求：

- 没有 `Content-Type` 头（例如使用 `fetch()` 携带 `Blob` 作为 body）
- 且不发送任何认证凭据。

这种攻击主要在以下情况下相关：

- 应用在本地（如 `localhost`）或内网中运行
- 且应用没有任何认证，假定来自同一网络的请求都可信。

## 攻击示例 { #example-attack }

---
jjbb-template: periodic-trigger-lgc.yml
vars:
  - periodic-job: elastic+elasticsearch+%BRANCH%+periodic+eql-correctness
  - lgc-job: elastic+elasticsearch+%BRANCH%+intake

---
jjbb-template: periodic-trigger-lgc.yml
vars:
  - periodic-job: elastic+elasticsearch+%BRANCH%+periodic+platform-support
  - lgc-job: elastic+elasticsearch+%BRANCH%+intake

This default behavior provides protection against a class of **Cross-Site Request Forgery (CSRF)** attacks in a very specific scenario.

These attacks exploit the fact that browsers allow scripts to send requests without doing any CORS preflight check when they:

* don't have a `Content-Type` header (e.g. using `fetch()` with a `Blob` body)
* and don't send any authentication credentials.

This type of attack is mainly relevant when:

Esses ataques exploram o fato de que navegadores permitem que scripts enviem requisições sem fazer qualquer verificação de preflight de CORS quando:

- não têm um cabeçalho `Content-Type` (por exemplo, usando `fetch()` com um corpo `Blob`)
- e não enviam nenhuma credencial de autenticação.

Esse tipo de ataque é relevante principalmente quando:

# Apprendre { #learn }

Voici les sections introductives et les tutoriels pour apprendre **FastAPI**.

Vous pouvez en lire davantage à la fin de cette page.

///

## Arguments supplémentaires de `Field` { #field-additional-arguments }

Lorsque vous utilisez `Field()` avec des modèles Pydantic, vous pouvez également déclarer des `examples` supplémentaires :

from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware

app = FastAPI()

origins = [
    "http://localhost.tiangolo.com",
    "https://localhost.tiangolo.com",
    "http://localhost",
    "http://localhost:8080",
]

app.add_middleware(
    CORSMiddleware,
    allow_origins=origins,
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)


@app.get("/")

---
jjbb-template: generic-gradle-unix.yml
vars:
  - job-name: elastic+elasticsearch+%BRANCH%+intake+multijob+rest-compat
  - job-display-name: "elastic / elasticsearch # %BRANCH% - intake rest compatibility"
  - job-description: Elasticsearch %BRANCH% branch intake REST compatibility checks.

---
jjbb-template: matrix-gradle-unix.yml
vars:
  - job-name: elastic+elasticsearch+%BRANCH%+periodic+java-matrix
  - job-display-name: "elastic / elasticsearch # %BRANCH% - java compatibility matrix"
  - job-description: "Testing of the Elasticsearch %BRANCH% branch java compatibility matrix.\n"
  - matrix-yaml-file: ".ci/matrix-runtime-javas.yml"
  - matrix-variable: ES_RUNTIME_JAVA