diff --git a/Dockerfile b/Dockerfile
index 44425c2..7f1b0d6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -30,7 +30,7 @@ ARG SITE
 
 RUN --mount=type=cache,target=/root/.cache/pip \
   apk add --no-cache lighttpd && \
-	python -m pip install legacy-cgi itsdangerous requests
+	python -m pip install legacy-cgi itsdangerous requests python-libmagic
 
 COPY --from=build /build/dist /www/
 COPY cgi-bin /cgi-bin/
diff --git a/cgi-bin/form.py b/cgi-bin/form.py
index 59a2dd8..f0b304d 100755
--- a/cgi-bin/form.py
+++ b/cgi-bin/form.py
@@ -16,6 +16,7 @@ from urllib.parse import urljoin
 import cgi
 import itsdangerous
 import requests
+import magic
 
 
 def fail(status: str, reason: str) -> None:
@@ -38,6 +39,7 @@ HONEYPOT_FIELD_NAME = "addressline1"
 # This regex merely validates what the in-browser form validation already checks and
 # isn't all too strict.
 EMAIL_REGEX = re.compile(r"^[^ ]+@[^ ]+\.[^ ]+$")
+VALID_MIME_TYPES = ("image/jpeg", "image/png", "application/pdf")
 
 # Mapping from site-defined devices (see sites/angestoepselt/_data/config.json in this
 # repository) to the corresponding Zammad categories:
@@ -125,6 +127,7 @@ match os.environ.get("REQUEST_METHOD", "").upper():
 					print(f'<div class="h-captcha" data-sitekey="{os.environ.get("HCAPTCHA_SITE_KEY", "")}"></div>')
 					print(f'</div>')
 				else:
+					line = re.sub(r"<!--\s*input_accept\s*-->", f'accept="{', '.join(VALID_MIME_TYPES)}"', line, flags=re.IGNORECASE)
 					print(line)
 
 		exit(0)
@@ -169,7 +172,12 @@ def get_form_value(
 			or not value_object.file
 		):
 			fail("400 Bad Request", f"Invalid value for field: {name}")
-		return (value_object.filename or "upload"), value_object.file.read()
+		data = value_object.file.read()
+		with magic.Magic() as magic_instance:
+			mime_type = magic_instance.from_buffer(data)
+			if mime_type not in VALID_MIME_TYPES:
+				fail("400 Bad Request", f"Invalid MIME type {mime_type} for upload: {name}")
+		return (value_object.filename or "upload"), data
 	else:
 		try:
 			result = cast(form.getfirst(name))
@@ -395,7 +403,7 @@ try:
 
 	print("Status: 302 Found")
 	print("Content-Type: text/html")
-	print("Location: /kontakt/fertig")
+	print(f"Location: /kontakt/fertig")
 	print("")
 except Exception as e:
 	fail("500 Internal Server Error", str(e))
diff --git a/sites/angestoepselt/computer-beantragen/privat.md b/sites/angestoepselt/computer-beantragen/privat.md
index 44b5c9d..21d2529 100644
--- a/sites/angestoepselt/computer-beantragen/privat.md
+++ b/sites/angestoepselt/computer-beantragen/privat.md
@@ -68,7 +68,7 @@ eingescannt als PDF.
 
 <label class="form-input">
   <span>Nachweis hochladen:</span>
-  <input type="file" name="document" required />
+  <input type="file" name="document" required <!-- INPUT_ACCEPT --> />
 </label>
 
 Bitte gib uns jetzt noch deine Anschrift. Das sollte die gleiche sein, die auch
diff --git a/sites/angestoepselt/hardware-spenden/organisation.md b/sites/angestoepselt/hardware-spenden/organisation.md
index 5417126..85cda43 100644
--- a/sites/angestoepselt/hardware-spenden/organisation.md
+++ b/sites/angestoepselt/hardware-spenden/organisation.md
@@ -32,7 +32,7 @@ kein Problem.
 
 <label class="form-input">
   <span>Inventarliste:</span>
-  <input type="file" name="inventory" />
+  <input type="file" name="inventory" <!-- INPUT_ACCEPT --> />
 </label>
 
 <label class="form-input">
diff --git a/sites/angestoepselt/mitmachen/beitreten.md b/sites/angestoepselt/mitmachen/beitreten.md
index 382cb85..456b293 100644
--- a/sites/angestoepselt/mitmachen/beitreten.md
+++ b/sites/angestoepselt/mitmachen/beitreten.md
@@ -97,7 +97,7 @@ fülle das [Lastschriftmandat](/assets/Lastschriftmandat.pdf) aus (entweder ausg
 </label>
 <label class="form-input" data-payment>
   <span>SEPA-Lastschriftmandat:</span>
-  <input type="file" name="document" />
+  <input type="file" name="document" <!-- INPUT_ACCEPT --> />
 </label>
 
 Noch kurz ein paar Hinweise zum Datenschutz: