This commit lets workhorse set the content-type when serving
artifacts. This prevents an attacker to host a maliciou JavaScript
payload as an artifact and bypass our CSP.

Changelog: security