File upload: auto-detect content type instead of trusting user header

[akrem-chabchoub]

Context

• Bee version: 2.6.0
• Component: /bzz upload endpoint (pkg/api/bzz.go)

Summary

The /bzz endpoint requires users to provide a Content-Type header when uploading files, but there's no validation that this header matches the actual file content. This leads to incorrect content types being stored in the manifest metadata.

Expected behavior

When a user uploads README.md with Content-Type: image/png, the system should either:

1. Reject the request with a validation error, or
2. Detect the actual content type and use that instead

Actual behavior

The incorrect Content-Type header is blindly trusted and stored in the manifest. When the file is downloaded later, the browser receives the wrong MIME type and fails to render the content correctly:

• A text file marked as image/png displays as broken image
• Users see corrupted/unreadable content in their browser

Steps to reproduce

1. Upload a markdown file with wrong content type:

curl -XPOST \
  -H "Swarm-Postage-Batch-Id: <batch-id>" \
  -H "Content-Type: image/png" \
  --data-binary @README.md \
  localhost:1633/bzz

2. See the file in the browser

http://localhost:1633/bzz/<reference>

3. Browser tries to render markdown as PNG and fails

Possible solution

Remove the Content-Type header requirement and auto-detect the content type from the file bytes using Go's built-in http.DetectContentType().

Benefits:

• Users don't need to specify the correct MIME type
• Eliminates this class of bugs entirely
• Files are always served with correct content types
• Simpler API (one less required header)

Note

Check other endpoints that accept content type from users for the same issue.