Is HttpPostedFile.ContentType a flawless way to validate an uploaded file?

Question

I want to validate the file type to make sure the user is uploading an image of type JPEG, GIF, or PNG. Instead of checking the file extension, I figured using HttpPostedFil

Answer 1

Both using the extension and the HTTP headers are equally unreliable, as they both can be faked with ease, either by a malicious attacker using raw HTTP requests, or by an innocent browser user picking an incorrectly named file. If you want to be certain, you must crack the file open and analyze the content, there is no other way.