docs: update for simplified MIME detection (v1.5.1)

documentation/threat-model.md

@@ -191,28 +191,27 @@ User Input Flow:
 
 ## MIME Detection Security
 
-Content is detected by magic bytes, not user-supplied Content-Type:
+Content is detected by UTF-8 validation (text vs binary):
 
 ```
-User uploads "image.png" with PHP payload
+User uploads content
          |
          v
-[Magic byte detection] --> Not PNG magic --> text/plain
-         |
+[UTF-8 validation] --> Valid UTF-8 --> text/plain
+         |              Invalid --> application/octet-stream
+         v
 [X-Content-Type-Options: nosniff] --> Browser won't sniff
          |
 [CSP: default-src 'none'] --> No script execution
 ```
 
-### Polyglot Attack Mitigations
+### Security Headers (Primary Defense)
 
-| Attack | Detection | Result |
-|--------|-----------|--------|
-| PNG + HTML | PNG magic detected | image/png |
-| GIF + JS | GIF magic detected | image/gif |
-| PDF + ZIP | PDF magic detected | application/pdf |
-| SVG + script | No XML magic | text/plain |
-| JPEG + PHP | JPEG magic detected | image/jpeg |
+| Header | Value | Protection |
+|--------|-------|------------|
+| X-Content-Type-Options | nosniff | Prevents MIME sniffing |
+| Content-Security-Policy | default-src 'none' | Blocks script execution |
+| X-Frame-Options | DENY | Prevents framing |
 
 ---