Extension checks vs MIME sniffing vs content inspection
These checks sit at different depths.
Extension checks
Section titled “Extension checks”- Fast and useful as a first filter.
- Easy to bypass because filenames are user-controlled.
MIME sniffing
Section titled “MIME sniffing”- Looks at bytes or signatures instead of trusting the request header.
- Better than extension checks, but still only answers what the file appears to be.
Content inspection
Section titled “Content inspection”- Looks for risky structures or matches inside the file.
- Needed for PDFs, archives, macro containers, SVG, and more nuanced threat patterns.
Practical takeaway
Section titled “Practical takeaway”Use all three in the right order:
- Extension allowlist.
- MIME or magic-byte validation.
- Structural inspection or optional signature scanning.