From 36ad73c800919265626d4045c47baeb605cdc0d8 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 15 Jun 2017 23:36:51 +0200
Subject: [PATCH] Added more mitigations for XXE

---
 .../src/main/resources/lessonPlans/en/XXE_mitigation.adoc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_mitigation.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_mitigation.adoc
index 2ba1be885..2e30c8a40 100644
--- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_mitigation.adoc
+++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_mitigation.adoc
@@ -19,3 +19,11 @@ xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
 ----
 
 For more information about configuration, see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
+
+
+==== Validate
+
+Implement proper validation for the Content-type and Accept header do not simply rely on the framework to handle
+ the incoming request. Also if the client specifies a proper accept header return with a `406/Not Acceptable.
+
+`
\ No newline at end of file