Multer's file object contains a mimetype value. The documentation describes it as "Mime type of the file", but provides no other details.
How is the value of this field determined? Is it simply the Content-Type: provided by the client (which can easily be spoofed) or is the uploaded file evaluated in some way that can help determine the true file type?
By tracking the source code, it's come from content-type header.
Here is how I track:
make-middleware.js in Multer: Where there is a busboy stream object listening on file event and having mimetype as one of the input parameter of callback function. The mimetype is appended to req.files that the user got.
busboy: The busboy instance is created with request headers parsed by it's own parseHeaders and parseParams function. You can find it's doing something on content-type header.
Further tracking, you will find it applies the Dicer object to listen on headers event and emit file event to busboy with parsed mimeType.