diff --git a/internal/server/browse.go b/internal/server/browse.go
index 6f718cd..0442c3d 100644
--- a/internal/server/browse.go
+++ b/internal/server/browse.go
@@ -348,11 +348,11 @@ func (s *Server) browseFile(w http.ResponseWriter, r *http.Request, ecosystem, n
 	}
 	defer func() { _ = fileReader.Close() }()
 
-	// Set content type based on file extension
 	contentType := detectContentType(filePath)
 	w.Header().Set("Content-Type", contentType)
+	w.Header().Set("Content-Security-Policy", "sandbox")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
 
-	// Set filename for download
 	_, filename := path.Split(filePath)
 	w.Header().Set("Content-Disposition", fmt.Sprintf("inline; filename=%q", filename))
 
@@ -368,8 +368,8 @@ func detectContentType(filename string) string {
 	// Text formats
 	case ".txt", ".md", ".markdown":
 		return contentTypePlainText
-	case ".html", ".htm":
-		return "text/html; charset=utf-8"
+	case ".html", ".htm", ".xhtml":
+		return contentTypePlainText
 	case ".css":
 		return "text/css; charset=utf-8"
 	case ".js", ".mjs":
@@ -423,7 +423,7 @@ func detectContentType(filename string) string {
 	case ".gif":
 		return "image/gif"
 	case ".svg":
-		return "image/svg+xml"
+		return contentTypePlainText
 	case ".ico":
 		return "image/x-icon"
 
diff --git a/internal/server/browse_test.go b/internal/server/browse_test.go
index 2706e90..e47bcc9 100644
--- a/internal/server/browse_test.go
+++ b/internal/server/browse_test.go
@@ -179,6 +179,10 @@ func TestDetectContentType(t *testing.T) {
 		{"file.go", "text/x-go; charset=utf-8"},
 		{"file.py", "text/x-python; charset=utf-8"},
 		{"file.rs", "text/x-rust; charset=utf-8"},
+		{"file.html", contentTypePlainText},
+		{"file.htm", contentTypePlainText},
+		{"file.xhtml", contentTypePlainText},
+		{"file.svg", contentTypePlainText},
 		{"file.png", "image/png"},
 		{"file.jpg", "image/jpeg"},
 		{"README", contentTypePlainText},