diff --git a/web/functions/r2/[[path]].ts b/web/functions/r2/[[path]].ts
index df6f247..9a54dd3 100644
--- a/web/functions/r2/[[path]].ts
+++ b/web/functions/r2/[[path]].ts
@@ -26,6 +26,13 @@ export const onRequest: PagesFunction<Env> = async (context) => {
 		headers.set('Cache-Control', 'public, max-age=60');
 		headers.set('Access-Control-Allow-Origin', '*');
 
+		// R2 binding strips Content-Encoding when serving object body, even when
+		// the object was stored with ContentEncoding metadata. Re-apply it so
+		// browsers know to decompress gzipped objects (.json.gz, .gz).
+		if (key.endsWith('.gz') && !headers.has('Content-Encoding')) {
+			headers.set('Content-Encoding', 'gzip');
+		}
+
 		return new Response(object.body, { headers });
 	} catch (err: unknown) {
 		const msg = err instanceof Error ? err.message : String(err);
diff --git a/web/public/_headers b/web/public/_headers
index ca8757a..0bdf4e3 100644
--- a/web/public/_headers
+++ b/web/public/_headers
@@ -14,5 +14,5 @@
 # Default
 /*
   X-Content-Type-Options: nosniff
-  X-Frame-Options: DENY
+  X-Frame-Options: SAMEORIGIN
   X-XSS-Protection: 1; mode=block