diff --git a/app/controllers/files_controller.rb b/app/controllers/files_controller.rb
new file mode 100644
index 0000000000000000000000000000000000000000..f13a543cfdd78c67c82821f56bed6636beb2d41e
--- /dev/null
+++ b/app/controllers/files_controller.rb
@@ -0,0 +1,8 @@
+class FilesController < ApplicationController
+  def download
+    uploader = Note.find(params[:id]).attachment
+    uploader.retrieve_from_store!(params[:filename])
+    send_file uploader.file.path, disposition: 'attachment'
+  end
+end
+
diff --git a/app/uploaders/attachment_uploader.rb b/app/uploaders/attachment_uploader.rb
index 3dbf2860bd4477000a17304bd122eae38f5b321e..3dd2117e339a8dfed2083461af68e18240841240 100644
--- a/app/uploaders/attachment_uploader.rb
+++ b/app/uploaders/attachment_uploader.rb
@@ -19,4 +19,8 @@ class AttachmentUploader < CarrierWave::Uploader::Base
   rescue
     false
   end
+
+  def secure_url
+    "/files/#{model.class.to_s.underscore}/#{model.id}/#{file.filename}"
+  end
 end
diff --git a/app/views/events/event/_note.html.haml b/app/views/events/event/_note.html.haml
index 20c3b927067938c151349a1d8fb37fe7cd8c2054..19665ce0aeaebace6b5bbb1bbb2e0bb23198bb5a 100644
--- a/app/views/events/event/_note.html.haml
+++ b/app/views/events/event/_note.html.haml
@@ -26,7 +26,7 @@
     = markdown truncate(event.target.note, length: 70)
     - note = event.target
     - if note.attachment.url
-      = link_to note.attachment.url, target: "_blank", class: 'note-file-attach' do
+      = link_to note.attachment.secure_url, target: "_blank", class: 'note-file-attach' do
         - if note.attachment.image?
           = image_tag note.attachment.url, class: 'note-image-attach'
         - else
diff --git a/app/views/notes/_note.html.haml b/app/views/notes/_note.html.haml
index 4d3007a0ed1ddc8406bb5abeab33c054862b9afe..b355e2a0bd4ef4f8cdf8c7c29b9befc1c124bff5 100644
--- a/app/views/notes/_note.html.haml
+++ b/app/views/notes/_note.html.haml
@@ -31,7 +31,7 @@
     - if note.attachment.image?
       = image_tag note.attachment.url, class: 'note-image-attach'
     .attachment.pull-right
-      = link_to note.attachment.url, target: "_blank" do
+      = link_to note.attachment.secure_url, target: "_blank" do
         %i.icon-paper-clip
         = note.attachment_identifier
   .clear
diff --git a/config/routes.rb b/config/routes.rb
index 47c8a4122f5f0c2bcf3077b86237f8e23a965b06..d717e7352e656e488649322fcf9a441523b2926e 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -45,6 +45,11 @@ Gitlab::Application.routes.draw do
     root to: "projects#index"
   end
 
+  #
+  # Attachments serving
+  #
+  get 'files/:type/:id/:filename' => 'files#download', constraints: { id: /\d+/, type: /[a-z]+/, filename: /[a-zA-Z.0-9_\-\+]+/ }
+
   #
   # Admin Area
   #