Month: 2026-04 Overview: A focused set of backend improvements in rommapp/romm delivering a robust Content-Type header validation flow. The work enhances request validation accuracy, logging clarity, and reliability when handling headers with parameters, whitespace, or unusual encodings, without widening the allowlist of content-types. Key features delivered: - Robust Content-Type header validation for resource downloads: parsed MIME essence (type/subtype) before applying allowlist checks, ensuring correct handling when headers include parameters or hidden characters. - Essence-based validation: introduced content_type_essence(header_value) that cleans and normalizes the type token (lowercase, trims whitespace, removes BOM) prior to comparison against allowed prefixes. - Logging improvements: operators still see the original raw header (or a missing header) for traceability while the match logic relies on a normalized essence to reduce noise and confusion. Major bugs fixed: - Bug: Incorrect handling of Content-Type header parameters and headers with encoding/padding (e.g., BOM, whitespace) could cause valid downloads to be rejected or invalid ones to be accepted. - Solution: Normalize to MIME essence before applying allowlist; reject empty essence; preserve existing allowed prefixes. - Security alignment: Maintained existing SSRF controls and did not widen the content-type allowlist; risk minimized and regression-tested. Overall impact and accomplishments: - Improved correctness and reliability of request validation for downloads, reducing false negatives/positives related to Content-Type handling. - Clearer, more actionable logs for operators, enabling faster troubleshooting of header-related issues. - No changes to user-facing behavior beyond more robust handling of tricky headers, maintaining compliance with security policies. Technologies/skills demonstrated: - Backend request validation and security controls - Header parsing and normalization (Content-Type essence) - Logging instrumentation and observability - Regression-safe refactoring and test alignment Commit reference: - rommapp/romm – Content-Type header validation robustness hash: 6aca8fdfcf48768402209236a804d459083e6093 description: Parses and validates the Content-Type essence before resource downloads; improves handling of parameters and BOM while preserving allowlist prefixes; enhances logging clarity.