# Chequeo estricto de Content-Type { #strict-content-type-checking }

Por defecto, **FastAPI** usa un chequeo estricto del header `Content-Type` para request bodies JSON, esto significa que las requests JSON deben incluir un header `Content-Type` válido (p. ej. `application/json`) para que el request body se parse como JSON.

## Riesgo de CSRF { #csrf-risk }

            SessionServicePacket.readPacketType(bais, buffer, 0);
        });

        assertEquals("unexpected EOF reading netbios session header", exception.getMessage());
    }

    @Test
    @DisplayName("readPacketType should throw IOException on incomplete header")
    void testReadPacketTypeIncompleteHeader() {
        byte[] headerData = { (byte) 0x81, (byte) 0x00 }; // Only 2 bytes instead of 4

Dann wird der Browser ein HTTP-`OPTIONS`-<abbr title="Request – Anfrage: Daten, die der Client zum Server sendet">Request</abbr> an das `:80`-Backend senden, und wenn das Backend die entsprechenden Header sendet, die die Kommunikation von diesem anderen Origin (`http://localhost:8080`) autorisieren, lässt der `:8080`-Browser das JavaScript im Frontend seinen Request an das `:80`-Backend senden.

Um dies zu erreichen, muss das `:80`-Backend eine Liste von „erlaubten Origins“ haben.

def test_security_http_basic_invalid_credentials():
    response = client.get(
        "/users/me", headers={"Authorization": "Basic notabase64token"}
    )
    assert response.status_code == 401, response.text
    assert response.headers["WWW-Authenticate"] == "Basic"
    assert response.json() == {"detail": "Not authenticated"}


def test_security_http_basic_non_basic_credentials():

    }

    /**
     * Test case for when the 'Authorization' header is missing.
     * Expects the server to respond with a 'WWW-Authenticate: NTLM' header and a 401 status.
     * @throws IOException
     */
    @Test
    public void testAuthenticate_NoAuthorizationHeader() throws IOException {
        // Setup: No "Authorization" header
        when(mockRequest.getHeader("Authorization")).thenReturn(null);

				Having:  []clause.Expression{clause.Eq{"role", "admin"}},
			}, clause.GroupBy{
				Columns: []clause.Column{{Name: "gender"}},
				Having:  []clause.Expression{clause.Neq{"gender", "U"}},
			}},
			"SELECT * FROM `users` GROUP BY `role`,`gender` HAVING `role` = ? AND `gender` <> ?",
			[]interface{}{"admin", "U"},
		},
	}

	for idx, result := range results {

                                <%-- Card Header --%>
                            <div class="card-header">
                                <jsp:include page="/WEB-INF/view/common/admin/crud/header.jsp"></jsp:include>
                            </div>
                                <%-- Card Body --%>

		if err != nil {
			return
		}

		type file struct {
			header  *FileHeader
			content []byte
		}
		files := []file{}

		for _, f := range r.File {
			fr, err := f.Open()
			if err != nil {
				continue
			}
			content, err := io.ReadAll(fr)
			if err != nil {
				continue
			}
			files = append(files, file{header: &f.FileHeader, content: content})
			if _, err := r.Open(f.Name); err != nil {

* [X-Forwarded-Host](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-Host)

///

### Habilitar headers reenviados por el Proxy { #enable-proxy-forwarded-headers }

Puedes iniciar FastAPI CLI con la *Opción de CLI* `--forwarded-allow-ips` y pasar las direcciones IP que deberían ser confiables para leer esos headers reenviados.

                                <%-- Card Header --%>
                            <div class="card-header">
                                <jsp:include page="/WEB-INF/view/common/admin/crud/header.jsp"></jsp:include>
                            </div>
                                <%-- Card Body --%>