diff --git a/frontend/src/api/pub.js b/frontend/src/api/pub.js
index 99642309..58eb1eb6 100644
--- a/frontend/src/api/pub.js
+++ b/frontend/src/api/pub.js
@@ -5,7 +5,7 @@ export async function fetch(url, password = "") {
   url = removePrefix(url);
 
   const res = await fetchURL(`/api/public/share${url}`, {
-    headers: { "X-SHARE-PASSWORD": password },
+    headers: { "X-SHARE-PASSWORD": encodeURIComponent(password) },
   });
 
   if (res.status === 200) {
diff --git a/http/public.go b/http/public.go
index 80bb6e2a..7f3a309f 100644
--- a/http/public.go
+++ b/http/public.go
@@ -3,6 +3,7 @@ package http
 import (
 	"errors"
 	"net/http"
+	"net/url"
 	"path"
 	"path/filepath"
 	"strings"
@@ -124,6 +125,10 @@ func authenticateShareRequest(r *http.Request, l *share.Link) (int, error) {
 	}
 
 	password := r.Header.Get("X-SHARE-PASSWORD")
+	password, err := url.QueryUnescape(password)
+	if err != nil {
+		return 0, err
+	}
 	if password == "" {
 		return http.StatusUnauthorized, nil
 	}