Upload MimeTypes: Server-side validation

[MentalGear]

I was very pleased to read that payload does uniform validation across front/backend.

When reading about settable mimeTypes, it's easy to assume the same would apply here. Yet, reading a bit more in detail, the docs state mimeTypes property can restrict what files are allowed from the user's file picker.. So frontend only.

It would make sense to have the backend check mimetypes too, to be in line with the rest of validation and what developers expect. Thx!

[jmikrut]

Hey @MentalGear — I believe it does both! But honestly I can't remember. Gonna ping @PatrikKozak to do some testing here and report back with his findings. If it doesn't work on front / backend, it will shortly. 👍

Also, is your name a play off Metal Gear? Because if it is, big fan. There are Metal Gear references littered throughout our site and docs.... 😇

[MentalGear]

Thx for the super quick reply! Great work btw - I also sprinkled in some praise for payload in an earlier post (in case you haven't seen): #1416

Haha, yeah, let's say it was inspired by the name MetalGear, and used it as base when I had to select a github username. I'd say I found Metal Gear always interesting, but never played it since didn't have a PS. ( n64 Goldeneye was my dope :P )

[Tommy1223454]

This is exactly the gap I’ve seen in a lot of upload pipelines.

Restricting what the browser picker allows is useful UX, but it’s not the same thing as making a trust decision on the server. Filenames and client-declared MIME are easy to spoof, so the real boundary is the backend route that receives the bytes.

I built an OSS package for this exact step in Node.js:
https://github.com/pompelmi/pompelmi

It focuses on inspect-before-storage decisions for untrusted uploads: content-based type checks, MIME/extension mismatch detection, archive risk signals, suspicious document/binary hints, and optional quarantine/promote workflows.