MIME Types Reference
A reference of MIME (media) types for file formats. Useful for web server configuration, Content-Type headers, and upload validation.
What is a MIME type?
MIME (Multipurpose Internet Mail Extensions) types are a standard mechanism for identifying file format and nature. Written as type/subtype, they tell browsers and servers how to process a file. Used in HTTP Content-Type headers, HTML <input type="file" accept="..."> attributes, and elsewhere.
Image (image/*)
| Extension | MIME type | Description |
|---|---|---|
| .jpg / .jpeg | image/jpeg | JPEG — lossy compression, ideal for photos |
| .png | image/png | PNG — lossless with alpha transparency |
| .gif | image/gif | GIF — animation support, 256 colors |
| .webp | image/webp | WebP — Google's high-compression format |
| .avif | image/avif | AVIF — next-gen format based on AV1 |
| .svg | image/svg+xml | SVG vector graphics, XML-based |
| .ico | image/x-icon | Icon file, used for favicons |
| .bmp | image/bmp | Bitmap, uncompressed |
| .tiff / .tif | image/tiff | TIFF, common in print/DTP |
Documents (application/*)
| Extension | MIME type | Description |
|---|---|---|
application/pdf | PDF document | |
| .doc | application/msword | Microsoft Word (legacy) |
| .docx | application/vnd.openxmlformats-officedocument.wordprocessingml.document | Microsoft Word (OOXML) |
| .xls | application/vnd.ms-excel | Microsoft Excel (legacy) |
| .xlsx | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet | Microsoft Excel (OOXML) |
| .ppt | application/vnd.ms-powerpoint | Microsoft PowerPoint (legacy) |
| .pptx | application/vnd.openxmlformats-officedocument.presentationml.presentation | Microsoft PowerPoint (OOXML) |
Text (text/*)
| Extension | MIME type | Description |
|---|---|---|
| .txt | text/plain | Plain text |
| .html / .htm | text/html | HTML document |
| .css | text/css | CSS stylesheet |
| .csv | text/csv | Comma-separated values |
| .xml | text/xml | XML document |
| .js | text/javascript | JavaScript (application/javascript also valid) |
| .json | application/json | JSON data |
| .md | text/markdown | Markdown text |
Audio (audio/*)
| Extension | MIME type | Description |
|---|---|---|
| .mp3 | audio/mpeg | MP3 — most common audio format |
| .wav | audio/wav | WAV — uncompressed PCM |
| .ogg | audio/ogg | Ogg Vorbis |
| .flac | audio/flac | FLAC — lossless compression |
| .aac | audio/aac | AAC — successor to MP3 |
| .webm | audio/webm | WebM audio |
| .m4a | audio/mp4 | MPEG-4 audio |
Video (video/*)
| Extension | MIME type | Description |
|---|---|---|
| .mp4 | video/mp4 | MP4 — most common video format |
| .webm | video/webm | WebM — open format for the web |
| .avi | video/x-msvideo | AVI |
| .mov | video/quicktime | QuickTime |
| .mkv | video/x-matroska | Matroska container |
| .mpeg | video/mpeg | MPEG video |
Archives & Compression (application/*)
| Extension | MIME type | Description |
|---|---|---|
| .zip | application/zip | ZIP archive |
| .gz / .gzip | application/gzip | Gzip-compressed file |
| .tar | application/x-tar | tar archive |
| .tar.gz | application/gzip | tar+gzip archive |
| .rar | application/vnd.rar | RAR archive |
| .7z | application/x-7z-compressed | 7-Zip archive |
| .bz2 | application/x-bzip2 | Bzip2 file |
Fonts (font/*)
| Extension | MIME type | Description |
|---|---|---|
| .woff | font/woff | Web Open Font Format |
| .woff2 | font/woff2 | WOFF2 — better compression |
| .ttf | font/ttf | TrueType font |
| .otf | font/otf | OpenType font |
Other
| Extension | MIME type | Description |
|---|---|---|
| (unknown) | application/octet-stream | Generic binary data; default for unknown formats |
| .wasm | application/wasm | WebAssembly binary |
Using MIME types in development
Server-side configuration
Web servers (Apache / Nginx) map file extensions to MIME types. If misconfigured, browsers may fail to handle the file correctly — for example, a .webp file with the wrong MIME type may be downloaded instead of displayed inline.
Upload validation
When implementing file uploads, validate both extension and MIME type. Be aware that MIME types can be spoofed by the client, so combine them with magic-byte (file signature) validation for security.
Content-Type header
Set an appropriate Content-Type header on API responses and downloads. Use application/json for JSON, text/csv for CSV, and add a charset parameter (text/html; charset=utf-8) when needed.
Setting MIME types in server configs
Below are the configuration snippets you reach for 90% of the time when serving modern formats (WebP, AVIF, WASM, font files) that may not be in your server's default mapping.
Apache .htaccess
# Modern image formats
AddType image/webp .webp
AddType image/avif .avif
AddType image/svg+xml .svg .svgz
# Fonts (so the browser caches them aggressively)
AddType font/woff .woff
AddType font/woff2 .woff2
# WebAssembly & modern JSON variants
AddType application/wasm .wasm
AddType application/manifest+json .webmanifest
AddType application/ld+json .jsonld
# Force UTF-8 for text formats
AddCharset utf-8 .html .css .js .json .xmlNginx (mime.types overrides)
types {
image/webp webp;
image/avif avif;
application/wasm wasm;
application/manifest+json webmanifest;
}
# Force charset for text/* and application/json
charset utf-8;
charset_types text/css text/plain text/xml application/javascript application/json application/xml;PHP — sending Content-Type
// Serve a download with the right Content-Type and a filename
header('Content-Type: application/pdf');
header('Content-Disposition: attachment; filename="invoice.pdf"');
readfile($path);
// JSON API response (always include charset)
header('Content-Type: application/json; charset=utf-8');
echo json_encode($data, JSON_UNESCAPED_UNICODE);Node.js / Express
// Express infers Content-Type from res.type() or the file extension
app.get('/data.json', (req, res) => {
res.type('application/json').send({ ok: true });
});
// Streaming a file with explicit MIME
app.get('/report.csv', (req, res) => {
res.set('Content-Type', 'text/csv; charset=utf-8');
fs.createReadStream('report.csv').pipe(res);
});Python — Flask / FastAPI
# Flask
from flask import Response
return Response(csv_text, mimetype='text/csv', headers={'Content-Disposition': 'attachment; filename="data.csv"'})
# FastAPI
from fastapi.responses import Response
return Response(content=json_str, media_type='application/json')Go — net/http
w.Header().Set("Content-Type", "application/json; charset=utf-8")
w.Header().Set("X-Content-Type-Options", "nosniff") // security: see below
json.NewEncoder(w).Encode(data)Security: why X-Content-Type-Options: nosniff matters
Browsers historically "sniffed" file contents to guess the type when the Content-Type header was missing or wrong. This is a known attack vector — a user uploading a file labeled image/jpeg that actually contains <script> could trigger XSS if the browser sniffs it as HTML.
Always send X-Content-Type-Options: nosniff on every response. It tells the browser "trust the Content-Type I sent; do not guess." This is especially critical for user-uploaded content and JSON APIs (where a hostile attacker could try to coerce JSON into being interpreted as HTML or JS).
Upload validation — the 3-layer rule
- Extension check — fast, but easily bypassed by renaming files. Use as a UX hint only.
- Client-sent MIME type (the
Content-Typein the multipart boundary) — equally easy to spoof; the browser sets it based on the file's extension. - Magic bytes (file signature) detection — reads the first few bytes of the actual file content and compares against known signatures (e.g.,
FF D8 FFfor JPEG,89 50 4E 47for PNG). This is the only reliable layer. See the Magic Bytes reference for the full table.
Production rule of thumb: do all three. Treat the first two as quick filters that reject obvious garbage; treat the third as the authoritative check.
Frequently asked questions
What is the difference between application/json and text/json?
application/json is the IANA-registered, standards-compliant MIME type defined in RFC 8259. text/json was an early ad-hoc usage that some servers still emit but it is not registered and should be avoided. JSON is encoded in UTF-8 by definition, so a charset parameter is technically redundant but harmless and commonly added for clarity.
Why does my .webp or .avif file download instead of displaying inline?
Your server has no mapping for that extension and is falling back to application/octet-stream, which the browser treats as "unknown binary, download it." Add the mapping (image/webp / image/avif) to your server config — see the Apache / Nginx snippets above.
Is the MIME type sent by the browser trustworthy for upload validation?
No. The browser sets it based on the file's extension at the time of selection — anyone can rename malware.exe to cute-cat.jpg and the browser will dutifully label it image/jpeg. Always combine extension + client-sent MIME + magic-byte detection (see the 3-layer rule above).
What MIME type should I use for files my server doesn't recognise?
application/octet-stream — explicitly defined as "arbitrary binary data" and the safe default. Browsers will offer to download such files rather than trying to render them, which prevents accidental code execution.
Why does application/x-www-form-urlencoded have an x- prefix?
Historically the x- prefix denoted "experimental" or "non-standard" MIME types. RFC 6648 (2012) deprecated the convention but many widely-deployed types — including this one and application/x-www-form-urlencoded, image/x-icon, application/x-tar — kept the prefix for backward compatibility.
Should I include charset for binary types like images or PDFs?
No. charset only makes sense for text-based types (text/*, application/json, application/xml). Adding it to image/jpeg or application/pdf is meaningless and some intermediaries (CDNs, proxies) may strip it.