These were served with `Content-Disposition: inline` in some situations,
which led to a Stored XSS attack using SVG files.

Workhorse has protections specifically against SVG files and will
rewrite the `Content-Disposition` header to `attachment`, but this
processing is skipped for cached 304 responses.

By disabling caching we force Workhorse to always rewrite this header.