diff --git a/server/api/controllers/attachments/download-thumbnail.js b/server/api/controllers/attachments/download-thumbnail.js
index 00c6f6d9..0d7444b9 100644
--- a/server/api/controllers/attachments/download-thumbnail.js
+++ b/server/api/controllers/attachments/download-thumbnail.js
@@ -61,7 +61,9 @@ module.exports = {
       throw Errors.ATTACHMENT_NOT_FOUND;
     }
 
-    this.res.setHeader('Content-Disposition', `inline; ${inputs.filename}`);
+    this.res.type(attachment.filename);
+    this.res.set('Cache-Control', 'private, max-age=900'); // TODO: move to config
+
     return exits.success(fs.createReadStream(filePath));
   },
 };
diff --git a/server/api/controllers/attachments/download.js b/server/api/controllers/attachments/download.js
index 4c7d466e..871f7501 100644
--- a/server/api/controllers/attachments/download.js
+++ b/server/api/controllers/attachments/download.js
@@ -14,10 +14,6 @@ module.exports = {
       regex: /^[0-9]+$/,
       required: true,
     },
-    filename: {
-      type: 'string',
-      required: true,
-    },
   },
 
   exits: {
@@ -56,14 +52,12 @@ module.exports = {
       throw Errors.ATTACHMENT_NOT_FOUND;
     }
 
-    let contentDisposition;
-    if (attachment.isImage || path.extname(attachment.filename) === '.pdf') {
-      contentDisposition = 'inline';
-    } else {
-      contentDisposition = `attachment; ${inputs.filename}`;
+    this.res.type(attachment.filename);
+    if (!attachment.isImage && path.extname(attachment.filename) !== '.pdf') {
+      this.res.set('Content-Disposition', 'attachment');
     }
+    this.res.set('Cache-Control', 'private, max-age=900'); // TODO: move to config
 
-    this.res.setHeader('Content-Disposition', contentDisposition);
     return exits.success(fs.createReadStream(filePath));
   },
 };