diff --git a/web/root/api/files.ssjs b/web/root/api/files.ssjs
index a45a52bc369addcb41e482fb8fe6cd0d748f2a67..f128ffbaeafc44b72e72e4176f5e9bcf3399b185 100644
--- a/web/root/api/files.ssjs
+++ b/web/root/api/files.ssjs
@@ -1,3 +1,4 @@
+load('sbbsdefs.js');
 var settings = load('modopts.js', 'web');
 
 load(settings.web_directory + '/lib/init.js');
@@ -29,7 +30,14 @@ if ((http_request.method === 'GET' || http_request.method === 'POST') &&
 						return true;
 					}
 				});
-				if (file === null) break;
+				if (file === null) {
+					reply.error = 'File not found';
+					break;
+				}
+				if (!file_area.dir[dircode].is_exempt && file.credits > (user.security.credits + user.security.free_credits)) {
+					reply.error = 'Not enough credits to download this file';
+					break;
+				}
 				http_reply.header['Content-Type'] = 'application/octet-stream';
 				http_reply.header['Content-Disposition'] = 'attachment; filename="' + file.base + '.' + file.ext + '"';
 				http_reply.header['Content-Encoding'] = 'binary';