How to Use File Magic Numbers to Secure File Uploads in Java

Uploading files poses high security risks; the most basic defense is to verify that the file type is allowed.

Simply checking the file extension is unreliable; a more secure method is needed.

Many file types have fixed initial bytes called "magic numbers", which can be used to identify the file type.

To prevent file upload attacks, read the first 28 bytes of the uploaded file, convert them to hexadecimal, and compare with known magic numbers.

Common file type magic numbers

JPEG – FFD8FF

PNG – 89504E47

GIF – 47494638

BMP – 424D

PDF – 255044462D312E

ZIP – 504B0304

RAR – 52617221

WAV – 57415645

AVI – 41564920

Java example for reading file headers

byte[] b = new byte[28];
InputStream is = new FileInputStream(file_path);
is.read(b,0,28);
is.close();
String hex = bytes2hex(b);
String fileHead = hex.toUpperCase();

This method provides stricter file type validation and reduces the risk of file upload vulnerabilities, though it may not guarantee absolute security; for higher security, using a dedicated resource server is recommended.