diff --git a/docker-compose.yml b/docker-compose.yml
index bf01dec..03466fb 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,7 +10,6 @@ services:
     environment:
       JWT_SECRET: supersecretkey
       PORT: 8000
-      ADMIN_PASSWORD: ""
 
       DB_TYPE: sqlite
       DATABASE_URL: ./data/database.db
diff --git a/internal/file/handlers.go b/internal/file/handlers.go
index 9aa197c..36cab7b 100644
--- a/internal/file/handlers.go
+++ b/internal/file/handlers.go
@@ -225,6 +225,9 @@ func (h *Handler) AdminGet(c *gin.Context) {
 		return
 	}
 
+	c.Header("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, util.SafeFilename(record.Filename)))
+	c.Header("X-Content-Type-Options", "nosniff")
+
 	c.File(record.Path)
 }
 
@@ -438,7 +441,6 @@ func (h *Handler) UploadComplete(c *gin.Context) {
 		}
 	}()
 
-	// reuse your existing upload logic 👇
 	record, err := h.service.UploadFile(
 		req.Filename,
 		pr,
@@ -451,7 +453,6 @@ func (h *Handler) UploadComplete(c *gin.Context) {
 		return
 	}
 
-	// cleanup temp
 	_ = os.RemoveAll(tmpDir)
 
 	log.Info().
@@ -490,4 +491,4 @@ func (h *Handler) UploadStatus(c *gin.Context) {
 	c.JSON(200, gin.H{
 		"uploadedChunks": uploaded,
 	})
-}
\ No newline at end of file
+}