[svens_]

This assumption has unfortunately led to countless security issues, at least in the past. The nosniff header (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...), was created because of this and should be added.

While this probably works, you should also add a restrictive CSP (using the sandbox directive).

Forcing the download (via Content-Disposition header) would likely be even better, but it is annoying for users.

[cxr]

Replying to this comment because though it's vague in specifics it reads as authoritative and knowledgeable. In reality, it confuses/conflates multiple things.

Serving HTML source as text/plain is safe. No browser capable of understanding CSP is going to be at risk of anything that CSP would actually protect against in this case.