diff --git a/server/handlers.go b/server/handlers.go
index a5cccb5c44daa2f943366eee78a9b326e7bdcf59..704a987b19834154afcc8a20a45a8b4230552c93 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -1232,16 +1232,8 @@ func (s *Server) getHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("X-Remaining-Downloads", remainingDownloads)
 	w.Header().Set("X-Remaining-Days", remainingDays)
 
-	if rng != nil && rng.ContentRange() != "" {
-		w.WriteHeader(http.StatusPartialContent)
-	}
-
-	if disposition == "inline" && canContainsXSS(contentType) {
-		reader = io.NopCloser(bluemonday.UGCPolicy().SanitizeReader(reader))
-	}
-
 	password := r.Header.Get("X-Decrypt-Password")
-	decryptionReader, err := attachDecryptionReader(reader, password)
+	reader, err = attachDecryptionReader(reader, password)
 	if err != nil {
 		http.Error(w, "Could not decrypt file", http.StatusInternalServerError)
 		return
@@ -1256,7 +1248,15 @@ func (s *Server) getHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Length", strconv.FormatUint(contentLength, 10))
 	w.Header().Set("Vary", "Range, Referer, X-Decrypt-Password")
 
-	if _, err = io.Copy(w, decryptionReader); err != nil {
+	if rng != nil && rng.ContentRange() != "" {
+		w.WriteHeader(http.StatusPartialContent)
+	}
+
+	if disposition == "inline" && canContainsXSS(contentType) {
+		reader = io.NopCloser(bluemonday.UGCPolicy().SanitizeReader(reader))
+	}
+
+	if _, err = io.Copy(w, reader); err != nil {
 		s.logger.Printf("%s", err.Error())
 		http.Error(w, "Error occurred copying to output stream", http.StatusInternalServerError)
 		return