Most webservers have a way of adding a header# Content-disposition "attachment; filename=$1"; that forces downloads. Nginx at least guesses based on file extension / mime type.
FYI - I've also recently run across end users who are likely victims of overzealous IT departments that disable Basic Auth, even on HTTPS connections. Even though they don't do anything to form fields which might contain the exact same data. I don't mind if they break their own domains but the whole Internet?
Firefox used to have a settings screen where you could go file type by file type overriding the browser behavior and setting it to ignore Content-Disposition.
# https://stackoverflow.com/questions/9054354/how-to-force-fil...
# https://stackoverflow.com/questions/37131398/how-to-configur...
FYI - I've also recently run across end users who are likely victims of overzealous IT departments that disable Basic Auth, even on HTTPS connections. Even though they don't do anything to form fields which might contain the exact same data. I don't mind if they break their own domains but the whole Internet?