Perhaps the byte sequence "P100s of Samsung are really cool phones" is a perfectly well-formed 6x6 pixel GIF file.
No, it isn't. I didn't pick my example lightly. It's not a valid GIF or Netpbm PBM file. But even if it would be valid,
it strengthens my argument, that looking at the first couple of bytes to guess the type of content is as bug-ridden as just looking at the file name.
That said, malicious users will attack any such heuristic assumptions to their favor. Britney.jpg.exe If your upload code expects web-intended images and only wants to accept web-intended images, it benefits the system to expect that any available heuristic passes muster.
Interesting that you bring up the web. See, the people who initially designed HTTP got it right. Documents delivered over HTTP are tagged with their type. No inspection of a fragment of the data is required. No implied type derived from the URL. Instead, a clear separation of information (the content) and the meta-information (the content type). Simple. Logical. Not error prone. Isn't that what MacOS does with its resource and data forks?