diff --git a/core/authentication/admin.py b/core/authentication/admin.py
index f972c82..ed88ace 100644
--- a/core/authentication/admin.py
+++ b/core/authentication/admin.py
@@ -1,9 +1,7 @@
 from django.contrib import admin
 from django.contrib.auth.admin import UserAdmin
-from django.contrib.auth.models import Permission
-from django.contrib.contenttypes.models import ContentType
 
-from authentication.models import ExtendedUser, EventPermission, ExtendedAuthToken, AuthTokenEventPermissions
+from authentication.models import ExtendedUser
 
 
 class ExtendedUserAdmin(UserAdmin):
diff --git a/core/files/media_v2.py b/core/files/media_v2.py
index 7dd784d..232a3e2 100644
--- a/core/files/media_v2.py
+++ b/core/files/media_v2.py
@@ -1,9 +1,12 @@
+from datetime import datetime, timedelta
+
 from coverage.annotate import os
 from django.http import HttpResponse
 from django.urls import path
 from drf_yasg.utils import swagger_auto_schema
 from rest_framework import status
-from rest_framework.decorators import api_view
+from rest_framework.decorators import api_view, permission_classes
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 
 from core.settings import MEDIA_ROOT
@@ -12,8 +15,12 @@ from files.models import File
 
 @swagger_auto_schema(method='GET', auto_schema=None)
 @api_view(['GET'])
+@permission_classes([IsAuthenticated])
 def media_urls(request, hash):
     try:
+        if request.META.get('HTTP_IF_NONE_MATCH') and request.META.get('HTTP_IF_NONE_MATCH') == hash:
+            return HttpResponse(status=status.HTTP_304_NOT_MODIFIED)
+
         file = File.objects.get(hash=hash)
         hash_path = file.file
         return HttpResponse(status=status.HTTP_200_OK,
@@ -21,7 +28,11 @@ def media_urls(request, hash):
                             headers={
                                 'X-Accel-Redirect': f'/redirect_media/{hash_path}',
                                 'Access-Control-Allow-Origin': '*',
-                            })  # TODO Expires and Cache-Control
+                                'Cache-Control': 'max-age=31536000, private',
+                                'Expires': datetime.utcnow() + timedelta(days=365),
+                                'Age': 0,
+                                'ETag': file.hash,
+                            })
 
     except File.DoesNotExist:
         return Response(status=status.HTTP_404_NOT_FOUND)
@@ -29,9 +40,12 @@ def media_urls(request, hash):
 
 @swagger_auto_schema(method='GET', auto_schema=None)
 @api_view(['GET'])
+@permission_classes([IsAuthenticated])
 def thumbnail_urls(request, size, hash):
     if size not in [32, 64, 256]:
         return Response(status=status.HTTP_404_NOT_FOUND)
+    if request.META.get('HTTP_IF_NONE_MATCH') and request.META.get('HTTP_IF_NONE_MATCH') == hash + "_" + str(size):
+        return HttpResponse(status=status.HTTP_304_NOT_MODIFIED)
     try:
         file = File.objects.get(hash=hash)
         hash_path = file.file
@@ -50,7 +64,11 @@ def thumbnail_urls(request, size, hash):
                             headers={
                                 'X-Accel-Redirect': f'/redirect_thumbnail/{size}/{hash_path}',
                                 'Access-Control-Allow-Origin': '*',
-                            })  # TODO Expires and Cache-Control
+                                'Cache-Control': 'max-age=31536000, private',
+                                'Expires': datetime.utcnow() + timedelta(days=365),
+                                'Age': 0,
+                                'ETag': file.hash + "_" + str(size),
+                            })
 
     except File.DoesNotExist:
         return Response(status=status.HTTP_404_NOT_FOUND)