It's better to add Content-Disposition: attachment; filename="api.json" to response header in the case that some browsers had the vulnerability of nosniff bypass. But for keeping this guideline simple, maybe this shouldn't be added. How do you think?