I have seen the answers on this SO question: Trusting "Content-Type" on File Uploads
And they make sense intuitively.
However, according to RFC 2616 Sec 7.2.1,
"If and only if the media type is not given by a Content-Type field, the recipient MAY attempt to guess the media type via inspection of its content and/or the name extension(s) of the URI used to identify the resource."
I would like to know the reasoning behind this part of the RFC when applied to server - why should a server trust the client's header and only fall back on content inspection if it is missing? Efficiency is one reason I can think of. Or perhaps I am misinterpreting the RFC?
