diff --git a/onionr/httpapi/onionrsitesapi/__init__.py b/onionr/httpapi/onionrsitesapi/__init__.py
index 3db799fb..f369c475 100644
--- a/onionr/httpapi/onionrsitesapi/__init__.py
+++ b/onionr/httpapi/onionrsitesapi/__init__.py
@@ -64,11 +64,11 @@ def site(name: str)->Response:
         abort(404)
     return Response(resp)
 
-@site_api.route('/site/<name>/<file>', endpoint='siteFile')
+@site_api.route('/site/<name>/<path:file>', endpoint='siteFile')
 def site_file(name: str, file: str)->Response:
     """Accept a site 'name', if pubkey then show multi-page site, if hash show single page site"""
     resp: str = 'Not Found'
-    mime_type = 'text/html'
+    mime_type = mimetypes.MimeTypes().guess_type(file)[0]
 
     # If necessary convert the name to base32 from mnemonic
     if mnemonickeys.DELIMITER in name:
@@ -92,4 +92,4 @@ def site_file(name: str, file: str)->Response:
             pass
     if resp == 'Not Found' or not resp:
         abort(404)
-    return Response(resp)
+    return Response(resp, mimetype=mime_type)
diff --git a/onionr/httpapi/security/client.py b/onionr/httpapi/security/client.py
index bf4fdd5b..fbc2e6e0 100644
--- a/onionr/httpapi/security/client.py
+++ b/onionr/httpapi/security/client.py
@@ -49,6 +49,7 @@ class ClientAPISecurity:
 
             if request.endpoint in whitelist_endpoints:
                 return
+            if request.path.startswith('/site/'): return
             try:
                 if not hmac.compare_digest(request.headers['token'], client_api.clientToken):
                     if not hmac.compare_digest(request.form['token'], client_api.clientToken):
@@ -61,8 +62,8 @@ class ClientAPISecurity:
         def after_req(resp):
             # Security headers
             resp = httpheaders.set_default_onionr_http_headers(resp)
-            if request.endpoint == 'siteapi.site':
-                resp.headers['Content-Security-Policy'] = "default-src 'none'; style-src data: 'unsafe-inline'; img-src data:"
+            if request.endpoint in ('siteapi.site', 'siteapi.siteFile'):
+                resp.headers['Content-Security-Policy'] = "default-src 'none'; style-src 'self' data: 'unsafe-inline'; img-src 'self' data:; media-src 'self' data:"
             else:
                 resp.headers['Content-Security-Policy'] = "default-src 'none'; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; media-src 'none'; frame-src 'none'; font-src 'self'; connect-src 'self'"
-            return resp
\ No newline at end of file
+            return resp
diff --git a/static-data/www/shared/sites.js b/static-data/www/shared/sites.js
index 6aedcf87..1ea9be0a 100755
--- a/static-data/www/shared/sites.js
+++ b/static-data/www/shared/sites.js
@@ -9,12 +9,12 @@ function checkHex(str) {
 document.getElementById('openSite').onclick = function(){
     var hash = document.getElementById('siteViewer').value
     if (hash.length == 0){ return }
-    if (checkHex(hash) && hash.length >= 50){
+    if (checkHex(hash) && hash.length >= 50 || hash.length == 52 || hash.length == 56){
         window.location.href = '/site/' + hash
     }
     else{
         PNotify.notice({
-            text: 'Invalid site hash'
+            text: 'Invalid site hash/ID'
         })
     }
 }
\ No newline at end of file