---
title: Validate Content-Type for Uploads
impact: MEDIUM
impactDescription: prevents uploading of malicious executable files disguised as data
tags: security, uploads, validation, mimetypes
---

## Validate Content-Type for Uploads

Always validate the `Content-Type` and file extension of uploaded files. Check the magic bytes/file header rather than just the extension.

**Correct (ActiveStorage + Marcel):**

```ruby
# Rails ActiveStorage uses Marcel gem to check magic bytes
class User < ApplicationRecord
  has_one_attached :avatar
  
  validates :avatar, content_type: ['image/png', 'image/jpeg']
end
```

**Tools:** ActiveStorage Validations gem
---