fix(state): omit Content-Type when response has no body

Per RFC 7230 §3.3.2, a sender MUST NOT generate a Content-Type field
in a message containing no payload body, and per §3.3.3, 204, 205 and
304 responses MUST NOT include a body.

HttpResponseHeadersTrait::getHeaders() now gates Content-Type behind a
$hasBody check derived from output['class'] (false when output: false)
and from the resolved status code (skipped on 204, 205, 304).

Fixes #2929

Author: soyuka

src/State/Util/HttpResponseHeadersTrait.php

@@ -52,13 +52,23 @@ trait HttpResponseHeadersTrait
     private function getHeaders(Request $request, HttpOperation $operation, array $context): array
     {
         $status = $this->getStatus($request, $operation, $context);
+        $method = $request->getMethod();
+        $outputMetadata = $operation->getOutput() ?? ['class' => $operation->getClass()];
+        $hasOutput = \is_array($outputMetadata) && \array_key_exists('class', $outputMetadata) && null !== $outputMetadata['class'];
+        // RFC 7230 §3.3.2 / §3.3.3: 204, 205 and 304 responses MUST NOT include a payload body,
+        // and a sender MUST NOT generate a Content-Type field for a message without a body.
+        $hasBody = $hasOutput && !\in_array($status, [Response::HTTP_NO_CONTENT, Response::HTTP_RESET_CONTENT, Response::HTTP_NOT_MODIFIED], true);
+
         $headers = [
-            'Content-Type' => \sprintf('%s; charset=utf-8', $request->getMimeType($request->getRequestFormat())),
             'Vary' => 'Accept',
             'X-Content-Type-Options' => 'nosniff',
             'X-Frame-Options' => 'deny',
         ];
 
+        if ($hasBody) {
+            $headers['Content-Type'] = \sprintf('%s; charset=utf-8', $request->getMimeType($request->getRequestFormat()));
+        }
+
         $exception = $request->attributes->get('exception');
         if (($exception instanceof HttpExceptionInterface || $exception instanceof SymfonyHttpExceptionInterface) && $exceptionHeaders = $exception->getHeaders()) {
             $headers = array_merge($headers, $exceptionHeaders);
@@ -76,10 +86,7 @@ private function getHeaders(Request $request, HttpOperation $operation, array $c
             $headers['Accept-Patch'] = $acceptPatch;
         }
 
-        $method = $request->getMethod();
         $originalData = $context['original_data'] ?? null;
-        $outputMetadata = $operation->getOutput() ?? ['class' => $operation->getClass()];
-        $hasOutput = \is_array($outputMetadata) && \array_key_exists('class', $outputMetadata) && null !== $outputMetadata['class'];
         $hasData = !$hasOutput ? false : ($this->resourceClassResolver && $originalData && \is_object($originalData) && $this->resourceClassResolver->isResourceClass($this->getObjectClass($originalData)));
 
         if ($hasData) {

tests/State/RespondProcessorTest.php

@@ -14,6 +14,7 @@
 namespace ApiPlatform\Tests\State;
 
 use ApiPlatform\Metadata\ApiResource;
+use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\Get;
 use ApiPlatform\Metadata\IriConverterInterface;
 use ApiPlatform\Metadata\Operation\Factory\OperationMetadataFactoryInterface;
@@ -162,6 +163,65 @@ public function testAddsLinkedDataPlatformHeaders(): void
         $this->assertSame('application/ld+json', $response->headers->get('Accept-Post'));
     }
 
+    public function testDoesNotSetContentTypeWhenOutputIsFalse(): void
+    {
+        $operation = new Post(class: Employee::class, output: ['class' => null], status: 204);
+
+        $resourceClassResolver = $this->prophesize(ResourceClassResolverInterface::class);
+        $resourceClassResolver->isResourceClass(Employee::class)->willReturn(true);
+
+        $respondProcessor = new RespondProcessor(null, $resourceClassResolver->reveal());
+
+        $req = new Request();
+        $req->setMethod('POST');
+        $response = $respondProcessor->process(null, $operation, context: [
+            'request' => $req,
+            'original_data' => new Employee(),
+        ]);
+
+        $this->assertSame(204, $response->getStatusCode());
+        $this->assertFalse($response->headers->has('Content-Type'));
+    }
+
+    public function testDoesNotSetContentTypeWhenOutputIsFalseWithCreatedStatus(): void
+    {
+        $operation = new Post(class: Employee::class, output: ['class' => null], status: 201);
+
+        $resourceClassResolver = $this->prophesize(ResourceClassResolverInterface::class);
+        $resourceClassResolver->isResourceClass(Employee::class)->willReturn(true);
+
+        $respondProcessor = new RespondProcessor(null, $resourceClassResolver->reveal());
+
+        $req = new Request();
+        $req->setMethod('POST');
+        $response = $respondProcessor->process(null, $operation, context: [
+            'request' => $req,
+            'original_data' => new Employee(),
+        ]);
+
+        $this->assertSame(201, $response->getStatusCode());
+        $this->assertFalse($response->headers->has('Content-Type'));
+    }
+
+    public function testDoesNotSetContentTypeOnBodylessStatusCodes(): void
+    {
+        $operation = new Delete(class: Employee::class);
+
+        $resourceClassResolver = $this->prophesize(ResourceClassResolverInterface::class);
+        $resourceClassResolver->isResourceClass(Employee::class)->willReturn(true);
+
+        $respondProcessor = new RespondProcessor(null, $resourceClassResolver->reveal());
+
+        $req = new Request();
+        $req->setMethod('DELETE');
+        $response = $respondProcessor->process(null, $operation, context: [
+            'request' => $req,
+        ]);
+
+        $this->assertSame(204, $response->getStatusCode());
+        $this->assertFalse($response->headers->has('Content-Type'));
+    }
+
     public function testDoesNotAddLinkedDataPlatformHeadersWithoutFactory(): void
     {
         $operation = new Get(uriTemplate: '/employees/{id}', class: Employee::class);