hashicorp · sanikachavan5 · Aug 25, 2025 · Aug 22, 2025 · Aug 22, 2025 · Aug 22, 2025
@@ -0,0 +1,3 @@
+```release-note:security
+api: add charset in all applicable content-types.
+```
@@ -20,11 +20,12 @@ import (
 	"testing"
 	"time"
 
-	"github.com/hashicorp/go-uuid"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
 
+	"github.com/hashicorp/go-uuid"
+
 	"github.com/hashicorp/consul/agent/mock"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/api"
@@ -689,7 +690,7 @@ func TestCheckHTTPBody(t *testing.T) {
 	}{
 		{desc: "get body", method: "GET", body: "hello world"},
 		{desc: "post body", method: "POST", body: "hello world"},
-		{desc: "post json body", header: http.Header{"Content-Type": []string{"application/json"}}, method: "POST", body: "{\"foo\":\"bar\"}"},
+		{desc: "post json body", header: http.Header{"Content-Type": []string{"application/json; charset=utf-8"}}, method: "POST", body: "{\"foo\":\"bar\"}"},
 	}
 
 	for _, tt := range tests {
@@ -1561,7 +1562,7 @@ func TestCheck_Docker(t *testing.T) {
 			handlers: map[string]http.HandlerFunc{
 				"POST /containers/123/exec": func(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(201)
-					w.Header().Set("Content-Type", "application/json")
+					w.Header().Set("Content-Type", "application/json; charset=utf-8")
 					fmt.Fprint(w, `this is not json`)
 				},
 			},
@@ -1573,7 +1574,7 @@ func TestCheck_Docker(t *testing.T) {
 			handlers: map[string]http.HandlerFunc{
 				"POST /containers/123/exec": func(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(201)
-					w.Header().Set("Content-Type", "application/json")
+					w.Header().Set("Content-Type", "application/json; charset=utf-8")
 					fmt.Fprint(w, `{"Id":"456"}`)
 				},
 				"POST /exec/456/start": func(w http.ResponseWriter, r *http.Request) {
@@ -1588,7 +1589,7 @@ func TestCheck_Docker(t *testing.T) {
 			handlers: map[string]http.HandlerFunc{
 				"POST /containers/123/exec": func(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(201)
-					w.Header().Set("Content-Type", "application/json")
+					w.Header().Set("Content-Type", "application/json; charset=utf-8")
 					fmt.Fprint(w, `{"Id":"456"}`)
 				},
 				"POST /exec/456/start": func(w http.ResponseWriter, r *http.Request) {
@@ -1603,7 +1604,7 @@ func TestCheck_Docker(t *testing.T) {
 			handlers: map[string]http.HandlerFunc{
 				"POST /containers/123/exec": func(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(201)
-					w.Header().Set("Content-Type", "application/json")
+					w.Header().Set("Content-Type", "application/json; charset=utf-8")
 					fmt.Fprint(w, `{"Id":"456"}`)
 				},
 				"POST /exec/456/start": func(w http.ResponseWriter, r *http.Request) {
@@ -1619,7 +1620,7 @@ func TestCheck_Docker(t *testing.T) {
 			handlers: map[string]http.HandlerFunc{
 				"POST /containers/123/exec": func(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(201)
-					w.Header().Set("Content-Type", "application/json")
+					w.Header().Set("Content-Type", "application/json; charset=utf-8")
 					fmt.Fprint(w, `{"Id":"456"}`)
 				},
 				"POST /exec/456/start": func(w http.ResponseWriter, r *http.Request) {
@@ -1638,7 +1639,7 @@ func TestCheck_Docker(t *testing.T) {
 			handlers: map[string]http.HandlerFunc{
 				"POST /containers/123/exec": func(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(201)
-					w.Header().Set("Content-Type", "application/json")
+					w.Header().Set("Content-Type", "application/json; charset=utf-8")
 					fmt.Fprint(w, `{"Id":"456"}`)
 				},
 				"POST /exec/456/start": func(w http.ResponseWriter, r *http.Request) {
@@ -1658,7 +1659,7 @@ func TestCheck_Docker(t *testing.T) {
 			handlers: map[string]http.HandlerFunc{
 				"POST /containers/123/exec": func(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(201)
-					w.Header().Set("Content-Type", "application/json")
+					w.Header().Set("Content-Type", "application/json; charset=utf-8")
 					fmt.Fprint(w, `{"Id":"456"}`)
 				},
 				"POST /exec/456/start": func(w http.ResponseWriter, r *http.Request) {
@@ -1667,7 +1668,7 @@ func TestCheck_Docker(t *testing.T) {
 				},
 				"GET /exec/456/json": func(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(200)
-					w.Header().Set("Content-Type", "application/json")
+					w.Header().Set("Content-Type", "application/json; charset=utf-8")
 					fmt.Fprint(w, `this is not json`)
 				},
 			},
@@ -1679,7 +1680,7 @@ func TestCheck_Docker(t *testing.T) {
 			handlers: map[string]http.HandlerFunc{
 				"POST /containers/123/exec": func(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(201)
-					w.Header().Set("Content-Type", "application/json")
+					w.Header().Set("Content-Type", "application/json; charset=utf-8")
 					fmt.Fprint(w, `{"Id":"456"}`)
 				},
 				"POST /exec/456/start": func(w http.ResponseWriter, r *http.Request) {
@@ -1688,7 +1689,7 @@ func TestCheck_Docker(t *testing.T) {
 				},
 				"GET /exec/456/json": func(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(200)
-					w.Header().Set("Content-Type", "application/json")
+					w.Header().Set("Content-Type", "application/json; charset=utf-8")
 					fmt.Fprint(w, `{"ExitCode":0}`)
 				},
 			},
@@ -1700,7 +1701,7 @@ func TestCheck_Docker(t *testing.T) {
 			handlers: map[string]http.HandlerFunc{
 				"POST /containers/123/exec": func(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(201)
-					w.Header().Set("Content-Type", "application/json")
+					w.Header().Set("Content-Type", "application/json; charset=utf-8")
 					fmt.Fprint(w, `{"Id":"456"}`)
 				},
 				"POST /exec/456/start": func(w http.ResponseWriter, r *http.Request) {
@@ -1709,7 +1710,7 @@ func TestCheck_Docker(t *testing.T) {
 				},
 				"GET /exec/456/json": func(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(200)
-					w.Header().Set("Content-Type", "application/json")
+					w.Header().Set("Content-Type", "application/json; charset=utf-8")
 					fmt.Fprint(w, `{"ExitCode":0}`)
 				},
 			},
@@ -1721,7 +1722,7 @@ func TestCheck_Docker(t *testing.T) {
 			handlers: map[string]http.HandlerFunc{
 				"POST /containers/123/exec": func(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(201)
-					w.Header().Set("Content-Type", "application/json")
+					w.Header().Set("Content-Type", "application/json; charset=utf-8")
 					fmt.Fprint(w, `{"Id":"456"}`)
 				},
 				"POST /exec/456/start": func(w http.ResponseWriter, r *http.Request) {
@@ -1730,7 +1731,7 @@ func TestCheck_Docker(t *testing.T) {
 				},
 				"GET /exec/456/json": func(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(200)
-					w.Header().Set("Content-Type", "application/json")
+					w.Header().Set("Content-Type", "application/json; charset=utf-8")
 					fmt.Fprint(w, `{"ExitCode":1}`)
 				},
 			},
@@ -1742,7 +1743,7 @@ func TestCheck_Docker(t *testing.T) {
 			handlers: map[string]http.HandlerFunc{
 				"POST /containers/123/exec": func(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(201)
-					w.Header().Set("Content-Type", "application/json")
+					w.Header().Set("Content-Type", "application/json; charset=utf-8")
 					fmt.Fprint(w, `{"Id":"456"}`)
 				},
 				"POST /exec/456/start": func(w http.ResponseWriter, r *http.Request) {
@@ -1751,7 +1752,7 @@ func TestCheck_Docker(t *testing.T) {
 				},
 				"GET /exec/456/json": func(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(200)
-					w.Header().Set("Content-Type", "application/json")
+					w.Header().Set("Content-Type", "application/json; charset=utf-8")
 					fmt.Fprint(w, `{"ExitCode":2}`)
 				},
 			},

@@ -107,7 +107,7 @@ func (s *TestAPIServer) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
-	w.Header().Set("content-type", "application/json")
+	w.Header().Set("content-type", "application/json; charset=utf-8")
 
 	if req.URL.Path == "/apis/authentication.k8s.io/v1/tokenreviews" {
 		s.handleTokenReview(w, req)

@@ -119,7 +119,7 @@ func (s *MockHCPServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 
 	log.Printf("OK 200: %s %s\n", r.Method, r.URL.Path)
-	w.Header().Set("content-type", "application/json")
+	w.Header().Set("content-type", "application/json; charset=utf-8")
 	w.WriteHeader(http.StatusOK)
 	w.Write(bs)
 }
@@ -137,7 +137,7 @@ func enforceMethod(w http.ResponseWriter, r *http.Request, methods []string) boo
 }
 
 func mockTokenResponse(w http.ResponseWriter) {
-	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
 	w.WriteHeader(http.StatusOK)
 
 	w.Write([]byte(`{"access_token": "token", "token_type": "Bearer"}`))

@@ -24,12 +24,13 @@ import (
 	"time"
 
 	"github.com/NYTimes/gziphandler"
-	"github.com/hashicorp/go-cleanhttp"
-	"github.com/hashicorp/go-hclog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/net/http2"
 
+	"github.com/hashicorp/go-cleanhttp"
+	"github.com/hashicorp/go-hclog"
+
 	"github.com/hashicorp/consul/agent/config"
 	"github.com/hashicorp/consul/agent/consul"
 	"github.com/hashicorp/consul/agent/structs"
@@ -638,7 +639,7 @@ func TestHTTPAPIResponseHeaders(t *testing.T) {
 	`)
 	defer a.Shutdown()
 
-	requireHasHeadersSet(t, a, "/v1/agent/self", "application/json")
+	requireHasHeadersSet(t, a, "/v1/agent/self", "application/json; charset=utf-8")
 
 	// Check the Index page that just renders a simple message with UI disabled
 	// also gets the right headers.
@@ -686,7 +687,7 @@ func TestHTTPAPIValidateContentTypeHeaders(t *testing.T) {
 			method:              http.MethodPost,
 			endpoint:            "/v1/peering/token",
 			requestBody:         bytes.NewBuffer([]byte("test")),
-			expectedContentType: "application/json",
+			expectedContentType: "application/json; charset=utf-8",
 		},
 	}
 
@@ -784,7 +785,7 @@ func TestErrorContentTypeHeaderSet(t *testing.T) {
 	`)
 	defer a.Shutdown()
 
-	requireHasHeadersSet(t, a, "/fake-path-doesn't-exist", "application/json")
+	requireHasHeadersSet(t, a, "/fake-path-doesn't-exist", "application/json; charset=utf-8")
 }
 
 func TestAcceptEncodingGzip(t *testing.T) {

@@ -94,7 +94,7 @@ func (s *HTTPHandlers) KVSGet(resp http.ResponseWriter, req *http.Request, args
 	if _, ok := params["raw"]; ok && method == "KVS.Get" {
 		body := out.Entries[0].Value
 		resp.Header().Set("Content-Length", strconv.FormatInt(int64(len(body)), 10))
-		resp.Header().Set("Content-Type", "text/plain")
+		resp.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		resp.Header().Set("X-Content-Type-Options", "nosniff")
 		resp.Header().Set("Content-Security-Policy", "sandbox")
 		resp.Write(body)

@@ -11,9 +11,8 @@ import (
 	"reflect"
 	"testing"
 
-	"github.com/hashicorp/consul/testrpc"
-
 	"github.com/hashicorp/consul/agent/structs"
+	"github.com/hashicorp/consul/testrpc"
 )
 
 func TestKVSEndpoint_PUT_GET_DELETE(t *testing.T) {
@@ -458,7 +457,7 @@ func TestKVSEndpoint_GET_Raw(t *testing.T) {
 	if len(contentTypeHdr) != 1 {
 		t.Fatalf("expected 1 value for Content-Type header, got %d: %+v", len(contentTypeHdr), contentTypeHdr)
 	}
-	if contentTypeHdr[0] != "text/plain" {
+	if contentTypeHdr[0] != "text/plain; charset=utf-8" {
 		t.Fatalf("expected Content-Type header to be \"text/plain\", got %q", contentTypeHdr[0])
 	}
 

@@ -403,7 +403,7 @@ func (s *HTTPHandlers) Txn(resp http.ResponseWriter, req *http.Request) (interfa
 			return nil, err
 		}
 
-		resp.Header().Set("Content-Type", "application/json")
+		resp.Header().Set("Content-Type", "application/json; charset=utf-8")
 		resp.WriteHeader(http.StatusConflict)
 		resp.Write(buf)
 		return nil, nil

@@ -1033,12 +1033,11 @@ func (r *request) toHTTP() (*http.Request, error) {
 	req.Header = r.header
 
 	// Content-Type must always be set when a body is present
-	// See https://github.com/hashicorp/consul/issues/10011
 	if req.Body != nil && req.Header.Get("Content-Type") == "" {
-		req.Header.Set("Content-Type", "application/json")
+		req.Header.Set("Content-Type", "application/json; charset=utf-8")
 	}
 
-	// Setup auth
+	// Check for a token
 	if r.config.HttpAuth != nil {
 		req.SetBasicAuth(r.config.HttpAuth.Username, r.config.HttpAuth.Password)
 	}

@@ -935,11 +935,11 @@ func TestAPI_Headers(t *testing.T) {
 
 	_, _, err = kv.Get("test-headers", nil)
 	require.NoError(t, err)
-	require.Equal(t, "application/json", request.Header.Get("Content-Type"))
+	require.Equal(t, "application/json; charset=utf-8", request.Header.Get("Content-Type"))
 
 	_, err = kv.Delete("test-headers", nil)
 	require.NoError(t, err)
-	require.Equal(t, "application/json", request.Header.Get("Content-Type"))
+	require.Equal(t, "application/json; charset=utf-8", request.Header.Get("Content-Type"))
 
 	err = c.Snapshot().Restore(nil, strings.NewReader("foo"))
 	require.Error(t, err)

@@ -12,7 +12,7 @@ const (
 	contentTypeHeader = "Content-Type"
 	plainContentType  = "text/plain; charset=utf-8"
 	octetStream       = "application/octet-stream"
-	jsonContentType   = "application/json" // Default content type
+	jsonContentType   = "application/json; charset=utf-8" // Default content type
 )
 
 // ContentTypeRule defines a rule for determining the content type of an HTTP request.

@@ -883,12 +883,11 @@ func (r *request) toHTTP() (*http.Request, error) {
 	req.Header = r.header
 
 	// Content-Type must always be set when a body is present
-	// See https://github.com/hashicorp/consul/issues/10011
 	if req.Body != nil && req.Header.Get("Content-Type") == "" {
-		req.Header.Set("Content-Type", "application/json")
+		req.Header.Set("Content-Type", "application/json; charset=utf-8")
 	}
 
-	// Setup auth
+	// Check for a token
 	if r.config.HttpAuth != nil {
 		req.SetBasicAuth(r.config.HttpAuth.Username, r.config.HttpAuth.Password)
 	}

@@ -184,7 +184,7 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
-	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
 
 	switch req.URL.Path {
 	case "/.well-known/openid-configuration":