When I checked the content type of both the responses its giving application/json for first and text/html for second.Accessing the API with the http POST Content-Type / x-www-form-urlencoded application still gets false results. application/x-www-form-urlencoded multipart/form-data text/plain. If you change it to anything else, such as application/json, the browser will first make an OPTIONS request towhy application/json content type have csrf token? 3. XSS not exploitable when POST data is sent in JSON? The JSON encoding also supports file uploads. The values of files are themselves structured as objects and contain a type field indicating the MIME type, a name field containing the file name, and a body field with the files content as base64.