The OWASP website suggest to validate the content-type header. But it does not specify the rational for the same. What is the reason that I should validate the content-type header, even though I am not reading or using it?
When POSTing or PUTting new data, the client will specify the Content-Type (e.g. application/xml or application/json) of the incoming data. The server should never assume the Content-Type; it should always check that the Content-Type header and the content are the same type. A lack of Content-Type header or an unexpected Content-Type header should result in the server rejecting the content with a 406 Not Acceptable response.