What is a mimetype?

Discover what a mimetype is, how it works, and what you can use it for

A mime type - sometimes known as a media type - is a way of identifying the type of content a certain file is. The mime type classification is overseen by the Internet Assigned Numbers Authority (IANA), an organisation known for keeping track of IP addresses and domain names online.

Anatomy of a mimetype

A mimetype is made up of two (usually) parts, the type and subtype. There are 10 types, which are:

  • application

  • audio

  • example

  • font

  • image

  • message

  • model

  • multipart

  • text

  • video

Subtypes are then assigned to give each mimetype its identity.

Example mimetypes

A common list of examples is maintained by the Wikipedia page for mimetypes, which you can find below.

  • application/javascript

  • application/json

  • application/ld+json

  • application/msword

  • application/pdf

  • application/sql

  • application/vnd.api+json

  • application/vnd.ms-excel

  • application/vnd.ms-powerpoint

  • application/vnd.oasis.opendocument.text

  • application/vnd.openxmlformats-officedocument.presentationml.presentation

  • application/vnd.openxmlformats-officedocument.spreadsheetml.sheet

  • application/vnd.openxmlformats-officedocument.wordprocessingml.document

  • application/x-www-form-urlencoded

  • application/xml

  • application/zip

  • application/zstd

  • audio/mpeg

  • audio/ogg

  • image/avif

  • image/jpeg

  • image/png

  • image/svg+xml

  • multipart/form-data

  • text/plain

  • text/css

  • text/csv

  • text/html

  • text/xml

What does a mime type tell us?

A mime type's goal is to tell you about the content of the file at a glance. By inspecting the mime type it's possible to get a fairly good idea of what sort of file you're dealing with, whether that's something plaintext like a text file or CSV, an image like a jpg, or a document like a Word doc or Excel doc.

Having said that, there's a lot that a mimetype can't tell you. For example, if we take an Excel document, the expected mimetype is application/vnd.openxmlformats-officedocument.spreadsheetml.sheet. However, previous Excel documents have a different mimetype, and simply inspecting the mimetype doesn't tell us what generated the document in the first place. Keeping the same example, it's entirely possible that the spreadsheet was generated by Google Sheets or Libra Office rather than Microsoft Excel.

If you're interested in the mime type for Microsoft Excel, or documents in general, then check out our example documents section.

Vendors

Most mimetypes describe a type of file which can have a large number of uses. For example, text/plain can be used to describe any file that has plain text, but that could be anything from a book, someone's notes from a meeting, to a save file for a video game.

That is where vendors come in. Within the subtype space some vendors of applications have created their own mimetype for their files. Keeping the same example we've used throughout this article, if we look at Excel's original file format of .xls the mimetype is: application/vnd.ms-excel

This mimetype uses the application type, but then the subtype is prefixed with vnd (short for vendor). This shows that it is likely a proprietary mimetype, built specifically for one application by a specific vendor. In this case Excel.

Interestingly this has grown over the years to include 'open' vendor formats. Again, keeping with Excel, the more recently XML-based file type of Excel files (.xlsx files) has the mime type of application/vnd.openxmlformats-officedocument.spreadsheetml.sheet, which can be used by many different programs/apps, all producing the same end file.

Other prepended subtypes

Similar to the vendor/vnd prepended subtype, there are a few others, although they are far less common.

The 'personal' tree is identified with prs. Generally this is associated with private or internal-only products and files. You should rarely see this 'out in the wild'.

Similarly is the x. space, which is more strictly for private file types. Officially there should be an agreement between the different parties using the files.

A note about Octet Streams

One mime type which is found often, and can cause some confusion is application/octet-stream. The mime type application/octet-stream is a generic catch-all mime type that is used when a file doesn't have a mime type set.

It may seem odd that this can even happen at all, or under what scenario a mime type wouldn't be set, but it happens more frequently than you might expect.

One common occurrence for application/octet-stream is when a file is streamed to the browser. Streaming of files happens when a file is being generated whilst it is being downloaded. An example of this might be a very large CSV file, where the server is building the CSV and sending it to the browser line-by-line rather than simply downloading a generated file. When this happens the file isn't actually a file until it has finished streaming, so the mime type begins as application/octet-stream and then transforms into text/csv upon completion.

You can often see application/octet-stream on downloads, incomplete or corrupt files.

Security implications

A mime type is not enough to know that a file is of a certain kind. A mime type should be viewed as a hint of the file type, similarly to how a file extension is viewed. For example, I can rename a .docx file to be a .jpg, but it doesn't suddenly make that file an image. Similarly I can change the mime type of a file, but it won't suddenly make it that file type.

This realisation is important for cyber security. Web developers cannot rely on the mime type being an accurate representation of the files contents, especially when dealing with files uploaded by users. If a form only allowed a specific mime type of file to be uploaded it would be very easy for an attacker to simply change the mime type of a malicious file to a non-malicious mime type and get the file uploaded. The example here might be uploading a Java jar applet in place of a jpg by giving it an image/jpg mime type.

This exact attack vector has been proven, where an attacker is able to upload a Java applet with an image/gif mime type. The applet then gets run whenever a user visits a page with the gif displayed. The tactic web developers employ to get around this kind of attack is to transform the file that is uploaded in some way. For example, if a JPG is expected then the developer should resize that JPG and only ever use the resized version. A non-JPG will not be able to be resized, regardless of mime type.

Our Example Files

All of our sample files for all projects include the mime type. Check out our example document files for examples of Word document, Excel document and Powerpoint document file types with associated mime types, or our image files for jpg, png and bmp mime types, and we have sample audio and video sample files with all associated mime types listed.