Add documentation about validating file extensions

[davidyell]

Add documentation for security purposes advising people to always validate their file upload extensions, so that they don't allow people to upload php files to their server, for example.

[isemantics]

Just a quick note from experience (today): I could easily get Proffer + upload to work with Cake3's "mimeType" validation, but whatever I'd try with the "extension" validation from Cake3, I just couldn't get it to validate ( even though request data in logs looked right and mimeType does work, so it must have access to the right data ). No time at the moment to further investigate it, so it could still be my fault and not a bug. Just my 2 cents, back to work 💃