Basically, it must follow RFC 6266: "Use of the Content-Disposition Header Field in the Hypertext Transfer Protocol (HTTP)" https://tools.ietf.org/html/rfc6266#section-5 Proposal (2023-04-29 update...

proposal/new requirement - served filename in content-disposition header must follow correct encoding · Issue #1390 · OWASP/ASVS