I’d very much like to stand corrected, but it seems to be dependent on the operating system, which is mostly linux in the cloud, but will be Windows when you’re testing locally, or require 3rd party java libraries, that can be big or buggy or have other downsides. You could do some before commit checks that doublecheck the file extension (something like endsWith(toLowercase($FileDoc/Name), ‘.jpg’), which isn’t 100% reliable but is at least a first line of defense. The file upload widget also provides the option to choose allowed extensions, but I don’t know how it validates them. Probably just file extensions as well. Also you’ll want to have some additional defense against hackers using Mendix api to upload and commit files instead of using a file upload widget. I’m curious if others are using before commit actions or maybe java mimetype checks as security measure.
If you want to check the contents, you’ll probably need additional checks apart from mimetype checks. A virus scan also comes to mind, but that requires a licensed module or your own custom implementation.