diff --git a/pkg/api/http/store.go b/pkg/api/http/store.go
index 86efae7..1a85f54 100644
--- a/pkg/api/http/store.go
+++ b/pkg/api/http/store.go
@@ -60,6 +60,9 @@ func (s *Server) storeReadHandler(w http.ResponseWriter, r *http.Request) {
 		s.ErrorResponse(w, r, span, "reading file failed", http.StatusInternalServerError)
 		return
 	}
+	w.Header().Set("Content-Type", "application/octet-stream")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("Content-Security-Policy", "default-src 'none'")
 	w.WriteHeader(http.StatusAccepted)
 	w.Write([]byte(content))
 }
diff --git a/pkg/api/http/store_test.go b/pkg/api/http/store_test.go
new file mode 100644
index 0000000..ab52289
--- /dev/null
+++ b/pkg/api/http/store_test.go
@@ -0,0 +1,54 @@
+package http
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/gorilla/mux"
+)
+
+func TestStoreReadHandler_ContentType(t *testing.T) {
+	dataDir := t.TempDir()
+	srv := NewMockServer()
+	srv.config.DataPath = dataDir
+
+	// Write an HTML payload to the store.
+	writeReq, err := http.NewRequest("POST", "/store", strings.NewReader("<html><script>alert(1)</script></html>"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	writeRR := httptest.NewRecorder()
+	http.HandlerFunc(srv.storeWriteHandler).ServeHTTP(writeRR, writeReq)
+
+	if writeRR.Code != http.StatusAccepted {
+		t.Fatalf("store write returned status %d, want %d", writeRR.Code, http.StatusAccepted)
+	}
+
+	// Read it back and verify Content-Type is application/octet-stream, not text/html.
+	hash := hash("<html><script>alert(1)</script></html>")
+	readReq, err := http.NewRequest("GET", "/store/"+hash, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	readReq = mux.SetURLVars(readReq, map[string]string{"hash": hash})
+
+	readRR := httptest.NewRecorder()
+	http.HandlerFunc(srv.storeReadHandler).ServeHTTP(readRR, readReq)
+
+	if readRR.Code != http.StatusAccepted {
+		t.Fatalf("store read returned status %d, want %d", readRR.Code, http.StatusAccepted)
+	}
+
+	expectedHeaders := map[string]string{
+		"Content-Type":            "application/octet-stream",
+		"X-Content-Type-Options":  "nosniff",
+		"Content-Security-Policy": "default-src 'none'",
+	}
+	for header, want := range expectedHeaders {
+		if got := readRR.Header().Get(header); got != want {
+			t.Errorf("%s = %q, want %q", header, got, want)
+		}
+	}
+}