# Strict Content-Type Checking { #strict-content-type-checking }

By default, **FastAPI** uses strict `Content-Type` header checking for JSON request bodies, this means that JSON requests **must** include a valid `Content-Type` header (e.g. `application/json`) in order for the body to be parsed as JSON.

## CSRF Risk { #csrf-risk }

This default behavior provides protection against a class of **Cross-Site Request Forgery (CSRF)** attacks in a very specific scenario.

api.search.accept.referers=
# Whether to enable scroll for API search.
api.search.scroll=false
# Headers for API JSON response.
api.json.response.headers=Referrer-Policy:strict-origin-when-cross-origin
# Whether to include exceptions in API JSON response.
api.json.response.exception.included=false
# Headers for API GSA response.
api.gsa.response.headers=Referrer-Policy:strict-origin-when-cross-origin
# Whether to include exceptions in API GSA response.

        )

    tasks.add_task(bg, state)
    return state


@app.middleware("http")
async def middleware(request, call_next):
    response: StreamingResponse = await call_next(request)
    response.headers["x-state"] = json.dumps(state.copy())
    return response


client = TestClient(app)


def test_async_state():
    assert state["/async"] == "asyncgen not started"
    response = client.get("/async")

	o = msgp.Require(b, z.Msgsize())
	// map header, size 4
	// string "APIVersion"
	o = append(o, 0x84, 0xaa, 0x41, 0x50, 0x49, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e)
	o = msgp.AppendString(o, z.APIVersion)
	// string "Flags"
	o = append(o, 0xa5, 0x46, 0x6c, 0x61, 0x67, 0x73)
	// map header, size 3
	// string "Filter"
	o = append(o, 0x83, 0xa6, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72)

	for {
		header, err := tr.Next()
		if err == io.EOF {
			break
		}
		if err != nil {
			t.Fatalf("Failed to read header: %s", err)
		}
		if header.Typeflag != TypeReg {
			t.Fatalf("Typeflag should've been %d, found %d", TypeReg, header.Typeflag)
		}
	}
}

// failOnceWriter fails exactly once and then always reports success.
type failOnceWriter bool

Bei HTTP Basic Auth erwartet die Anwendung einen Header, der einen Benutzernamen und ein Passwort enthält.

Wenn sie diesen nicht empfängt, gibt sie den HTTP-Error 401 „Unauthorized“ zurück.

Und gibt einen Header `WWW-Authenticate` mit dem Wert `Basic` und einem optionalen <abbr title="Bereich">`realm`</abbr>-Parameter zurück.

    val c = this[i]
    // The WHATWG Host parsing rules accepts some character codes which are invalid by
    // definition for OkHttp's host header checks (and the WHATWG Host syntax definition). Here
    // we rule out characters that would cause problems in host headers.
    if (c <= '\u001f' || c >= '\u007f') {
      return true
    }
    // Check for the characters mentioned in the WHATWG Host parsing spec:

            return status;
        }

        @Override
        public void setHeader(String name, String value) {
            headers.put(name, value);
        }

        @Override
        public String getHeader(String name) {
            return headers.get(name);
        }

        @Override
        public PrintWriter getWriter() {
            return writer;
        }

 */
package okhttp3

import assertk.assertThat
import assertk.assertions.isEqualTo
import java.io.IOException
import java.nio.charset.StandardCharsets
import kotlin.test.assertFailsWith
import okhttp3.Headers.Companion.headersOf
import okhttp3.MediaType.Companion.toMediaType
import okhttp3.MediaType.Companion.toMediaTypeOrNull
import okhttp3.RequestBody.Companion.toRequestBody
import okio.Buffer
import okio.BufferedSink

class APIKeyHeader(APIKeyBase):
    """
    API key authentication using a header.

    This defines the name of the header that should be provided in the request with
    the API key and integrates that into the OpenAPI documentation. It extracts
    the key value sent in the header automatically and provides it as the dependency
    result. But it doesn't define how to send that key to the client.