Otherwise the headers from `JSONResponse` are gone and the Content-Type of the response would be `text/html` instead of `application/json; charset=utf-8`. This leads to broken scripts since we set the `nosniff` tag, furthermore this is very bad from a security PoV.
$data->getData(),
$data->getStatus()
);
- $response->setHeaders($data->getHeaders());
+ $response->setHeaders(array_merge($data->getHeaders(), $response->getHeaders()));
return $response;
} else {
return new JSONResponse($data);