diff --git a/handlers.go b/handlers.go
index 77d1ced..e24fed6 100644
--- a/handlers.go
+++ b/handlers.go
@@ -3,7 +3,6 @@ package rushlink
 import (
 	"crypto/subtle"
 	"fmt"
-	"io"
 	"log"
 	"mime/multipart"
 	"net/http"
@@ -95,12 +94,17 @@ func (rl *rushlink) uploadFileGetHandler(w http.ResponseWriter, r *http.Request)
 		// unexpected error
 		panic(err)
 	}
-	w.Header().Set("Content-Type", fu.ContentType)
-	w.WriteHeader(http.StatusOK)
-	if r.Method == "HEAD" {
-		return
+	info, err := file.Stat()
+	var modtime time.Time
+	if err != nil {
+		log.Printf("error: %v", errors.Wrapf(err, "could not stat file '%v'", filePath))
+	} else {
+		modtime = info.ModTime()
 	}
-	io.Copy(w, file)
+	// We use http.ServeContent (instead of http.ServeFile) because we cannot
+	// use http.ServeFile together with the assertion that the file exists,
+	// without introducing a TOCTOU flaw.
+	http.ServeContent(w, r, fu.FileName, modtime, file)
 }
 
 func (rl *rushlink) viewPasteHandler(w http.ResponseWriter, r *http.Request) {