Services
Technology Web App Development Mobile App Development Windows App Development Database Development UI/UX Development Cloud Development SEO Digital Marketing Guest Posting Content Writing Artificial Intelligence Data Science ERP Development CRM Development CMS Development LMS Development Business Listing Blockchain Technology Startup Promotion AI Tools Integration
Products
Data Converter Cleaner TUC - Unit Converter Import Export Survey Manager Tweet Controller
Developer
Article Blog Forum Interview Beginner News Startup Quiz
Users
Career
Apply Job Internship
Pricing
Login Sign Up Get a Quote

interview

home / developersection / interviews / how to create image file validator in production grade.
Ask Question

How to create Image file validator in production grade.

Ravi Vishwakarma 47 05 Jun 2026
c# c#
Updated 05 Jun 2026
Ravi Vishwakarma
Ravi Vishwakarma

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Message

1 Answers

Ravi Vishwakarma
Ravi Vishwakarma 05 Jun 2026
Report Abuse

A production-grade image file validator should do much more than just check the file extension. The goal is to ensure the file is actually a valid image, meets your business requirements, and cannot be used for attacks.

Validation Layers

1. Check File Size

Reject files that are too small or too large.

const long MaxFileSize = 5 * 1024 * 1024; // 5 MB

if (file.Length == 0 || file.Length > MaxFileSize)
{
    return "Invalid file size";
}

2. Validate Allowed Extensions

Only allow expected image formats.

var allowedExtensions = new[] { ".jpg", ".jpeg", ".png", ".webp" };

var extension = Path.GetExtension(file.FileName).ToLowerInvariant();

if (!allowedExtensions.Contains(extension))
{
    return "Unsupported file type";
}

Never rely only on extensions.

A malicious file can be renamed:

virus.exe → image.jpg

3. Validate MIME Type

Check the content type sent by the client.

var allowedMimeTypes = new[]
{
    "image/jpeg",
    "image/png",
    "image/webp"
};

if (!allowedMimeTypes.Contains(file.ContentType))
{
    return "Invalid MIME type";
}

Do not trust MIME type completely. It can be spoofed.

4. Verify File Signature (Magic Numbers)

Inspect the first bytes of the file.

Example signatures:

Format Signature
JPEG FF D8 FF
PNG 89 50 4E 47
WebP RIFF....WEBP

Example:

byte[] jpegSignature = { 0xFF, 0xD8, 0xFF };

using var stream = file.OpenReadStream();

byte[] buffer = new byte[3];
await stream.ReadAsync(buffer);

if (!buffer.SequenceEqual(jpegSignature))
{
    return "Invalid image";
}

This is one of the most important checks.

5. Attempt to Decode the Image

A valid image signature doesn't guarantee the image isn't corrupted.

Using ImageSharp:

using SixLabors.ImageSharp;

try
{
    using var image = await Image.LoadAsync(file.OpenReadStream());
}
catch
{
    return "Corrupted image";
}

If decoding fails, reject the upload.

6. Validate Dimensions

Prevent huge images:

using var image = await Image.LoadAsync(file.OpenReadStream());

if (image.Width > 5000 || image.Height > 5000)
{
    return "Image dimensions too large";
}

Example business rules:

Profile Photo:
Min: 200x200
Max: 3000x3000

7. Strip Metadata (Recommended)

Images can contain:

  • GPS coordinates
  • Device information
  • Camera details

Remove metadata before storing.

image.Metadata.ExifProfile = null;

This improves privacy and security.

8. Generate Safe File Names

Never use:

file.FileName

Instead:

var fileName = $"{Guid.NewGuid()}.jpg";

Avoid:

../../../web.config

path traversal attacks.

9. Virus/Malware Scanning (Enterprise)

For high-security systems:

  • ClamAV
  • Microsoft Defender
  • Cloud malware scanning services
  • Scan before final storage.

10. Store Outside Web Root

Bad:

wwwroot/uploads

Better:

/storage/images

or

Azure Blob Storage
AWS S3
MindStick Training