diff --git a/src/routes/conversation/[id]/output/[sha256]/+server.ts b/src/routes/conversation/[id]/output/[sha256]/+server.ts
index a349842632e..10d4eed41c0 100644
--- a/src/routes/conversation/[id]/output/[sha256]/+server.ts
+++ b/src/routes/conversation/[id]/output/[sha256]/+server.ts
@@ -44,6 +44,8 @@ export const GET: RequestHandler = async ({ locals, params }) => {
 	return new Response(Buffer.from(value, "base64"), {
 		headers: {
 			"Content-Type": mime ?? "application/octet-stream",
+			"Content-Security-Policy":
+				"default-src 'none'; script-src 'none'; style-src 'none'; sandbox;",
 		},
 	});
 };
diff --git a/src/routes/settings/(nav)/assistants/[assistantId]/avatar.jpg/+server.ts b/src/routes/settings/(nav)/assistants/[assistantId]/avatar.jpg/+server.ts
index 23f2025610a..b23a3ccbbd5 100644
--- a/src/routes/settings/(nav)/assistants/[assistantId]/avatar.jpg/+server.ts
+++ b/src/routes/settings/(nav)/assistants/[assistantId]/avatar.jpg/+server.ts
@@ -37,6 +37,8 @@ export const GET: RequestHandler = async ({ params }) => {
 	return new Response(content, {
 		headers: {
 			"Content-Type": "image/jpeg",
+			"Content-Security-Policy":
+				"default-src 'none'; script-src 'none'; style-src 'none'; sandbox;",
 		},
 	});
 };