MediaWiki 1.40 recommends adding the nosniff header to the image directory:
You should configure your webserver to return the http header X-Content-Type-Options: nosniff' for the /images directory. This will instruct browsers to not apply content sniffing when accessing the files. MediaWiki before 1.40 shipped with a content sniffer which disallowed potentially dangerous files at upload time, but this protection has now been removed in favor of this 'X-Content-Type-Options: nosniff' header and the installer will return a warning when it is not in place.
We need to do this before we fully upgrade to 1.40.