text/htmltext/html is the media type for HyperText Markup Language documents, the foundation of web pages. Receiving this type, a browser parses the markup into a DOM and loads the linked CSS, JavaScript, and images to render.
The charset parameter matters greatly. Without an explicit `Content-Type: text/html; charset=utf-8`, the browser guesses the encoding or relies on the document's `<meta charset>`, which can garble non-ASCII text (mojibake) or enable charset-sniffing XSS (e.g. UTF-7 injection). The HTTP header's charset takes precedence over the in-document meta, so declaring UTF-8 in the header is safest.
Browsers treat text/html as active content and execute scripts. Therefore re-serving a user-uploaded file as text/html becomes stored XSS. Defend with `X-Content-Type-Options: nosniff` to stop sniffing and `Content-Security-Policy` to restrict script sources.
e.g. Content-Type: text/html; charset=utf-8