Skip to content
Back to Blog
2026-06-22Security

File Type Validation: A Complete Security Guide

File type validation is critical for security. Relying only on extensions is dangerous.

Three Layers of Validation

1. Extension Check

Allowlist of accepted extensions. Easily bypassed by renaming.

2. MIME Type

Check Content-Type header. Can be spoofed by client.

3. Magic Bytes (Most Secure)

Read file header bytes to verify true type:

const magicNumbers = {
  'application/pdf': [0x25, 0x50, 0x44, 0x46], // %PDF
  'image/png': [0x89, 0x50, 0x4E, 0x47],
  'image/jpeg': [0xFF, 0xD8, 0xFF],
};

Best Practices

  1. Use all three layers
  2. Never trust client-side validation alone
  3. Scan for viruses
  4. Store files outside web root
  5. Set proper Content-Type headers

Download safe sample files from SampleFiles.

#security#validation#mime#upload

Related Posts

Web Development

Understanding File Types: MIME Types Explained

A complete guide to MIME types, how they work, and why they matter for web development.

Read moreFile Formats

Test JSON Files: How to Validate Your API Pipeline

Learn how to use sample JSON files to test API endpoints, parsers, and data processing pipelines.

Read moreFile Formats

Test MP4 Files: Video Upload Testing Guide

How to use sample MP4 files to test video upload, streaming, and processing features.

Read more