fix(api): allow fastify to set content-type dynamically (#50248)

fix: allow fastify to set content-type dynamically

We can set content-type: application/json for specific routes, but
doing so ends up with confusing, over-engineered code.

Instead we should take care when auditing the endpoints.

api/src/plugins/security.ts

@@ -10,7 +10,6 @@ const securityHeaders: FastifyPluginCallback = (fastify, _options, done) => {
     void reply
       .header('Cache-Control', 'no-store')
       .header('Content-Security-Policy', "frame-ancestors 'none'")
-      .header('Content-Type', 'application/json; charset=utf-8')
       .header('X-Content-Type-Options', 'nosniff')
       .header('X-Frame-Options', 'DENY');
     // TODO: Increase this gradually to 2 years. Include preload once it is

api/src/server.test.ts

@@ -11,9 +11,8 @@ jest.mock('./utils/env', () => {
 });
 
 describe('production', () => {
+  setupServer();
   describe('GET /', () => {
-    setupServer();
-
     test('have a 200 response', async () => {
       const res = await superGet('/');
       expect(res.statusCode).toBe(200);
@@ -69,4 +68,18 @@ describe('production', () => {
       });
     });
   });
+
+  describe('GET /documentation', () => {
+    test('should have OWASP recommended headers, except content-type', async () => {
+      const res = await superGet('/documentation/static/index.html');
+      expect(res.headers).toMatchObject({
+        'cache-control': 'no-store',
+        'content-security-policy': "frame-ancestors 'none'",
+        'content-type': 'text/html; charset=utf-8',
+        'x-content-type-options': 'nosniff',
+        'x-frame-options': 'DENY',
+        'strict-transport-security': 'max-age=300; includeSubDomains'
+      });
+    });
+  });
 });