diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 53f377f7d7..0c9a1124e8 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,7 @@
+*   Make `http_cache_forever` use `immutable: true`
+
+    *Nate Matykiewicz*
+
 *   Add `config.action_dispatch.strict_freshness`.
 
     When set to `true`, the `ETag` header takes precedence over the `Last-Modified` header when both are present,
diff --git a/actionpack/lib/action_controller/metal/conditional_get.rb b/actionpack/lib/action_controller/metal/conditional_get.rb
index d551aad40d..1f7418ed78 100644
--- a/actionpack/lib/action_controller/metal/conditional_get.rb
+++ b/actionpack/lib/action_controller/metal/conditional_get.rb
@@ -320,7 +320,7 @@ def expires_now
     #     user's web browser. To allow proxies to cache the response, set `true` to
     #     indicate that they can serve the cached response to all users.
     def http_cache_forever(public: false)
-      expires_in 100.years, public: public
+      expires_in 100.years, public: public, immutable: true
 
       yield if stale?(etag: request.fullpath,
                       last_modified: Time.new(2011, 1, 1).utc,
diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb
index f009ac4f14..3a5778b879 100644
--- a/actionpack/test/controller/render_test.rb
+++ b/actionpack/test/controller/render_test.rb
@@ -1021,7 +1021,7 @@ def cache_me_forever
   def test_cache_with_public
     get :cache_me_forever, params: { public: true }
     assert_response :ok
-    assert_equal "max-age=#{100.years}, public", @response.headers["Cache-Control"]
+    assert_equal "max-age=#{100.years}, public, immutable", @response.headers["Cache-Control"]
     assert_not_nil @response.etag
     assert_predicate @response, :weak_etag?
   end
@@ -1029,7 +1029,7 @@ def test_cache_with_public
   def test_cache_with_private
     get :cache_me_forever
     assert_response :ok
-    assert_equal "max-age=#{100.years}, private", @response.headers["Cache-Control"]
+    assert_equal "max-age=#{100.years}, private, immutable", @response.headers["Cache-Control"]
     assert_not_nil @response.etag
     assert_predicate @response, :weak_etag?
   end
diff --git a/activestorage/CHANGELOG.md b/activestorage/CHANGELOG.md
index f68a5ab8ab..ac52509c2b 100644
--- a/activestorage/CHANGELOG.md
+++ b/activestorage/CHANGELOG.md
@@ -1,2 +1,5 @@
+*   Mark proxied files as `immutable` in their Cache-Control header
+
+    *Nate Matykiewicz*
 
 Please check [7-2-stable](https://github.com/rails/rails/blob/7-2-stable/activestorage/CHANGELOG.md) for previous changes.
diff --git a/activestorage/test/controllers/blobs/proxy_controller_test.rb b/activestorage/test/controllers/blobs/proxy_controller_test.rb
index acd5372cd7..e0ccc5e52d 100644
--- a/activestorage/test/controllers/blobs/proxy_controller_test.rb
+++ b/activestorage/test/controllers/blobs/proxy_controller_test.rb
@@ -13,7 +13,7 @@ class ActiveStorage::Blobs::ProxyControllerTest < ActionDispatch::IntegrationTes
   test "HTTP caching" do
     get rails_storage_proxy_url(create_file_blob(filename: "racecar.jpg"))
     assert_response :success
-    assert_equal "max-age=3155695200, public", response.headers["Cache-Control"]
+    assert_equal "max-age=3155695200, public, immutable", response.headers["Cache-Control"]
   end
 
   test "invalidates cache and returns a 404 if the file is not found on download" do