[ADP-151] Content-Disposition

Overview

The Content-Disposition header is used to specify how content should be displayed in the browser. It is commonly used in HTTP responses to indicate if the content should be displayed inline in the browser or treated as an attachment to be downloaded.

Guidance

• SHOULD include the Content-Disposition header in responses that return binary files or non-text MIME type documents, such as an API for fetching an image.

  TIP

  If your API supports CORS, be sure to update Access-Control-Expose-Headers. For more information, refer to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers.

• The header can take two primary values:
  • inline: This value indicates that the content should be displayed directly in the browser.
  • attachment: This value indicates that the content should be downloaded and saved locally.
• DRAFT It is recommended to avoid setting Content-Disposition to inline for binary files not under direct control, such as user-uploaded image files, due to the potential presence of sensitive content that should not be displayed directly in the browser.
  • In other words, it is RECOMMENDED to set Content-Disposition to attachment by default.

Example

Content-Disposition: attachment; filename="example.pdf"

This example suggests that the browser should download the file named example.pdf.

References

• MDN Web Docs - Content-Disposition
• RFC 6266: Use of the Content-Disposition Header Field in the HTTP Response
• Discussion around attachment or inline
• Content Disposition Survey