I was reading Cross_Site_Scripting_Prevention_Cheat_Sheet and it\'s says on rule 3.1
Ensure returned Content-Type header is application/json and not text/htm
