server.modules += (
	"mod_setenv",
	"mod_redirect",
)

setenv.add-response-header = (
	"Content-Security-Policy" => "default-src 'self'; img-src https:; object-src 'self'; script-src 'self'; style-src 'self'",
	"Referrer-Policy" => "no-referrer",
	"X-Content-Type-Options" => "nosniff",
	"X-Frame-Options" => "SAMEORIGIN",
	"X-Permitted-Cross-Domain-Policies" => "none",
	"X-XSS-Protection" => "1; mode=block",
)

include_shell "/usr/local/bin/lighttpd-env.sh"

# Redirect to the "official" domain
$HTTP["host"] != var.intendedHost {
	$HTTP["url"] !~ "^/.well-known" {
		url.redirect = ( "^/(.*)" => var.intendedHostProto + "://" + var.intendedHost + "/$1" )
	}
}

# Add CORS header for WKP
$HTTP["url"] =~ "^/.well-known/openpgpkey" {
	setenv.add-response-header = (
		"Access-Control-Allow-Origin" => "*",
	)
}