diff --git a/.infra/kube/tusd-kube.yaml b/.infra/kube/tusd-kube.yaml
index 8cbf98a..cffd91f 100644
--- a/.infra/kube/tusd-kube.yaml
+++ b/.infra/kube/tusd-kube.yaml
@@ -40,7 +40,8 @@ spec:
           requests:
             memory: "1Gi"
         ports:
-        - containerPort: 8080
+        - name: tusd-web
+          containerPort: 8080
         securityContext:
           runAsUser: 0
           fsGroup: 0
@@ -59,7 +60,8 @@ metadata:
   namespace: tus
 spec:
   ports:
-  - port: 80
+  - name: tusd-web
+    port: 80
     targetPort: 8080
     protocol: TCP
   selector:
@@ -73,6 +75,14 @@ metadata:
   annotations:
     kubernetes.io/tls-acme: "true"
     kubernetes.io/ingress.class: "nginx"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      # Security: Don't allow people to upload html and then have browsers parse it
+                  if ($uri ~ \.(?!(jpe?g|gif|png|webp|webm|mp4|mpg|avi|3gp|wav|mp3))$) {
+                      add_header Content-Type application/octet-stream;
+                      add_header Content-Disposition "attachment; filename=$basename";
+                      add_header X-Download-Options noopen;
+                      add_header X-Content-Type-Options nosniff;
+                  }
     nginx.ingress.kubernetes.io/proxy-body-size: 0m
     nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
     nginx.ingress.kubernetes.io/proxy-read-timeout: "300"