I've found in one of the client-side libraries that it checks to see if the answer contains all the following headers with appropriate values (for security reasons):
'content-type', 'application/json' 'content-type', 'charset=utf-8' 'X-Content-Type-Options', 'nosniff' 'content-disposition', 'attachment' 'X-Frame-Options', 'DENY'
If a header does not exist, the library will throw an exception.
I can see no reason how this can improve security by checking client-side libraries.
Does anyone have any idea if this makes sense or does not make sense?
P.S. This is not about whether these headers should be set by the server.
P.P.S. I've found this out, because for some reason, even if the header is present, I can see in logs that sometimes this exception is thrown for them
X-... Headlines. I do not really know why, but I suppose either remove proxies headers or some browsers will remove them for some reason in js do not return. I would be happy to hear why, when someone knows reason.