diff --git a/CHANGELOG b/CHANGELOG
index 7d7154487adcdd3c8a0075ef665fadd68c70860f..4c9b00084d5a47c53ff875d0109f312e0af8d754 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,6 +6,7 @@ v 8.5.0 (unreleased)
   - Add "visibility" flag to GET /projects api endpoint
   - Ignore binary files in code search to prevent Error 500 (Stan Hu)
   - Render sanitized SVG images (Stan Hu)
+  - Support download access by PRIVATE-TOKEN header (Stan Hu)
   - Upgrade gitlab_git to 7.2.23 to fix commit message mentions in first branch push
   - New UI for pagination
   - Don't prevent sign out when 2FA enforcement is enabled and user hasn't yet
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 824175c8a6c8f217ee428f8b3db84d50ad07a61c..7fa2f68ef07e84e3ef4b0e87f1d9426ba256410d 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -60,6 +60,8 @@ def authenticate_user_from_token!
                    params[:authenticity_token].presence
                  elsif params[:private_token].presence
                    params[:private_token].presence
+                 elsif request.headers['PRIVATE-TOKEN'].present?
+                   request.headers['PRIVATE-TOKEN']
                  end
     user = user_token && User.find_by_authentication_token(user_token.to_s)