diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_mitigation.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_mitigation.adoc
index 2ba1be885..2e30c8a40 100644
--- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_mitigation.adoc
+++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_mitigation.adoc
@@ -19,3 +19,11 @@ xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
 ----
 
 For more information about configuration, see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
+
+
+==== Validate
+
+Implement proper validation for the Content-type and Accept header do not simply rely on the framework to handle
+ the incoming request. Also if the client specifies a proper accept header return with a `406/Not Acceptable.
+
+`
\ No newline at end of file