Content-Type: application/json — Why It Fails and How to Fix It

The Content-Type HTTP header serves as a declaration of the media type and encoding of the request body. When a client sends a POST or PUT request with a body, the Content-Type header tells the server which format to expect. The server's parsing layer reads this header before touching the body and decides which parser to invoke. If the header says application/json, the server invokes its JSON parser. If the header says application/x-www-form-urlencoded, the server invokes its URL-encoded form parser. If the header is absent or set to a value the server does not recognize, the server typically responds with 415 Unsupported Media Type or leaves the body unparsed.

In Express, the express.json() middleware function is responsible for JSON body parsing. It inspects each incoming request's Content-Type header, and if the value is application/json, it reads the request body stream, passes it through JSON.parse, and assigns the result to req.body. If the Content-Type is anything else, express.json() passes the request to the next middleware without touching req.body. This means that a request with the correct JSON body but the wrong or missing Content-Type header will arrive at your route handler with req.body set to undefined or an empty object, depending on whether another body parser ran first.

The HTTP/1.1 specification defines Content-Type as describing the media type of the representation sent in the message payload. For JSON, the registered media type is application/json as defined in RFC 8259. An optional charset parameter can follow, such as application/json; charset=utf-8, but RFC 8259 mandates UTF-8 as the default encoding for JSON, so the charset parameter is rarely necessary and many APIs ignore it entirely. Servers that are strict about charset validation may reject application/json; charset=utf-16 with a 415 error even though the JSON itself is valid.

Content-Type negotiation happens at the protocol level before your application code runs. This is why the fix for a missing header cannot be applied inside the route handler. The route handler receives an already-parsed (or not-parsed) req.body. Inspecting or modifying the request body inside the handler does not help if the middleware layer never parsed it.

When req.body is undefined in an Express route handler, the first step is to confirm that express.json() is registered at all and that it appears before the route in the middleware stack. A common mistake is to define routes at the top of the file and call app.use(express.json()) lower in the file. Express processes middleware in declaration order, so the route executes before the body parser has a chance to run.

The second diagnostic step is to inspect the Content-Type header of the incoming request. Add a temporary middleware that logs req.headers['content-type'] for incoming requests. If the header is absent, text/plain, or application/x-www-form-urlencoded, the body parser will not parse a JSON body and req.body will be empty. If the header is application/json but req.body is still empty, check whether the body itself is valid JSON by logging req.rawBody or by using the raw request body middleware to capture the stream before parsing.

For 415 Unsupported Media Type responses, the server is explicitly rejecting the request because the media type is not acceptable. This means the server has body parsing configured with strict media type checking. In Express, express.json() returns a 415 when the Content-Type is not application/json and the request method is POST or PUT. Some API frameworks and gateways also produce 415 when the Content-Type header contains the correct media type but has additional parameters they do not recognize.

Using curl to isolate the problem is effective. Reproduce the same request that fails from the browser using a curl command with explicit headers. If the curl request succeeds, the problem is in how the browser client is constructing the request. If the curl request also fails, the problem is on the server side. Compare the exact headers sent by each client using curl's -v flag to view request and response headers, and compare them against the headers visible in the browser's network panel.

The Fetch API does not automatically set Content-Type when you provide a body as a string. You must add it explicitly in the headers object. The pattern for a JSON POST request is to add a headers object with Content-Type set to application/json, pass the JavaScript object through JSON.stringify before assigning it to body, and check the response status before calling res.json(). Checking the status is important because calling res.json() on a non-JSON response body, such as an HTML error page returned by a proxy, throws a SyntaxError.

For curl, the default behavior when using -d or --data is to send the body with Content-Type: application/x-www-form-urlencoded. To send JSON, you must add the -H flag with the Content-Type header explicitly: curl -X POST -H 'Content-Type: application/json' -d '{...}' https://api.example.com/endpoint. The order of the flags does not matter, but omitting -H causes the API to receive form-encoded data instead of JSON. Use -v to confirm the header appears in the Request Headers section of the output.

In the Axios HTTP client for Node.js, the behavior is different: Axios automatically sets Content-Type to application/json when the data option is a JavaScript object. However, if you pass a pre-stringified JSON string as the data, Axios does not automatically add the header and you must set it manually. When using the Axios request config with data as a plain object, rely on the automatic header. When using a string body for any reason, add the header explicitly.

For server-to-server requests in Node.js using the native http module or https module, you must set Content-Type in the options object and also set Content-Length to the byte length of the body string. Forgetting Content-Length causes many servers to wait for more data and eventually time out. The safer approach in Node.js server code is to use a higher-level HTTP client such as Axios, got, or node-fetch, all of which handle these low-level details automatically when given a plain JavaScript object.

Content-Type and Accept are both HTTP headers related to media types, but they communicate in opposite directions and serve different purposes. Content-Type describes the media type of the message body that the sender is providing. Accept describes the media types that the sender can understand in a response. Confusing the two is a common source of incorrect behavior, particularly when an API client sends Accept: application/json but omits Content-Type: application/json on a request with a JSON body.

When a client sends a GET request, there is no request body and therefore no need for Content-Type. The Accept header tells the server that the client wants JSON in the response. The server reads Accept and responds with Content-Type: application/json in the response headers. This is content negotiation: the client expresses its preferences and the server selects the best matching format.

When a client sends a POST or PUT request with a JSON body, it needs both headers for different reasons. Content-Type: application/json on the request tells the server how to parse the body. Accept: application/json on the request tells the server what format the client wants for the response body. A client that sends Content-Type but not Accept will get the server's default response format, which may or may not be JSON depending on the API. A client that sends Accept but not Content-Type may have its request body rejected.

A related header is Content-Encoding, which describes the transfer encoding of the body such as gzip or deflate. This is different from Content-Type. An application/json body that has been gzip-compressed would use both Content-Type: application/json and Content-Encoding: gzip. The server must decompress the body before parsing it as JSON. Most HTTP clients handle compression transparently, but it is useful to understand the distinction when debugging requests that fail with malformed body errors even though the Content-Type is correct.

The CORS specification divides cross-origin requests into two categories: simple requests and preflighted requests. Simple requests are sent directly without a preceding OPTIONS preflight. Preflighted requests cause the browser to send an OPTIONS request first to verify that the server allows the cross-origin request. Setting Content-Type to application/json automatically makes a request a preflighted request, which means an OPTIONS preflight request will appear in your browser's network panel before the actual POST.

A request qualifies as a simple request only if the Content-Type is one of three values: application/x-www-form-urlencoded, multipart/form-data, or text/plain. Using application/json does not qualify as a simple request because it is not in that list. This means that any API that accepts JSON bodies from browsers will receive preflight OPTIONS requests. The server must respond to OPTIONS requests with the appropriate CORS headers, including Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers. If Access-Control-Allow-Headers does not include Content-Type, the browser blocks the actual request.

This is a common confusion for developers who successfully send text/plain or form-encoded requests to a cross-origin API and then switch to JSON bodies. The existing CORS configuration may not include Content-Type in the allowed headers, causing the preflight to fail with a CORS error that mentions a missing Access-Control-Allow-Headers value. The fix is to add Content-Type to the server's CORS configuration, not to change the Content-Type of the request.

In Express, the cors package handles preflight automatically when configured correctly. Calling app.use(cors({ origin: '...', allowedHeaders: ['Content-Type', 'Authorization'] })) ensures that both the preflight OPTIONS response and the actual response include the correct CORS headers. Without explicitly listing allowedHeaders, some CORS middleware implementations may not include Content-Type in the Access-Control-Allow-Headers response header, which causes preflight failures for any request that uses application/json.

Building a consistent API client layer eliminates the entire class of Content-Type errors by centralizing header management. Rather than adding Content-Type and Accept headers to every individual fetch call, define a base request function that adds these headers automatically and handles common error cases. This base function should also handle JSON serialization of the request body and JSON deserialization of the response body, throwing typed errors when either step fails.

For TypeScript applications, defining an api function that accepts a typed request configuration and returns a typed response creates a contract that is enforced at compile time. The implementation can use generic type parameters to annotate the expected response body type. This pattern means that every API call in the codebase uses the same headers without any developer needing to remember to add Content-Type manually.

API clients built on Axios benefit from instance-level default headers. Creating an Axios instance with axios.create({ baseURL: '...', headers: { 'Content-Type': 'application/json', 'Accept': 'application/json' } }) applies those headers to every request made through that instance. Request interceptors can add authentication headers dynamically. Response interceptors can normalize error responses into a consistent format. This approach is particularly effective in larger codebases where many developers make API calls, because the correct headers are applied without any individual action.

On the server side, documenting expected Content-Type in your API with an OpenAPI specification creates a machine-readable contract that tools can validate against. Middleware that validates the Content-Type header and returns 415 with a clear error message before the request reaches route handlers provides early feedback to API clients about incorrect usage. Logging the Content-Type value alongside the request method and path in your access logs makes it easy to retrospectively analyze which clients are sending incorrect headers.