Ok, I figured it out. I took a look at the Apache docs, found where in the logs you can specify to show Content-Type, used that to find the content type of the request, and got it fixed.
In case anyone is curious about how to make your server play nice with WordPress and still have the security modules working, here’s a post I wrote detailing the issue.
