diff --git a/src/security/validators.py b/src/security/validators.py
index 381ba321..c303aa5a 100644
--- a/src/security/validators.py
+++ b/src/security/validators.py
@@ -86,6 +86,19 @@ class SecurityValidator:
         ".vue",
         ".svelte",
         ".lock",
+        # Image formats (document uploads; native photos go through image_handler.py)
+        ".png",
+        ".jpg",
+        ".jpeg",
+        ".gif",
+        ".webp",
+        ".heic",
+        ".heif",
+        ".bmp",
+        ".tiff",
+        ".tif",
+        # Document formats
+        ".pdf",
     }
 
     # Forbidden filenames and patterns