*Ensure the image is served with the correct content-type (e.g. image/jpeg, application/x-xpinstall)
'''Beware of "special" files'''
*crossdomain.xml allows cross-domain data loading in Flash, Java and Silverlight. If permitted on sites with authentication this can permit cross-domain data theft and CSRF attacks. Note this can get pretty complicated depending on the specific plugin version in question, so its best to just prohibit files named "crossdomain.xml" or "clientaccesspolicy.xml".
=== Image Upload ===