From 22198da3bf6cac4308953349a965c7e1cab5394a Mon Sep 17 00:00:00 2001
From: Andrew Lock <andrewlock.net@gmail.com>
Date: Sun, 11 Jun 2023 20:54:18 +0100
Subject: [PATCH] Update README

---
 README.md | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index fdb050a..dda6cf8 100644
--- a/README.md
+++ b/README.md
@@ -56,10 +56,16 @@ This adds the following headers to all responses that pass through the middlewar
 
 * `X-Content-Type-Options: nosniff`
 * `Strict-Transport-Security: max-age=31536000; includeSubDomains` - _only applied to HTTPS responses_
-* `X-Frame-Options: Deny` - _only applied to `text/html` responses_
-* `X-XSS-Protection: 1; mode=block` - _only applied to `text/html` responses_
-* `Referrer-Policy: strict-origin-when-cross-origin` - _only applied to `text/html` responses_
-* `Content-Security-Policy: object-src 'none'; form-action 'self'; frame-ancestors 'none'` - _only applied to `text/html` responses_
+* `X-Frame-Options: Deny` - _only applied to "document" responses_
+* `X-XSS-Protection: 1; mode=block` - _only applied to "document" responses_
+* `Referrer-Policy: strict-origin-when-cross-origin` - _only applied to "document" responses_
+* `Content-Security-Policy: object-src 'none'; form-action 'self'; frame-ancestors 'none'` - _only applied to "document" responses_
+
+"Document" responses are defined as responses that return one of the following content-types:
+
+- `text/html`
+- `text/javascript`
+- `application/javascript`
 
 ## Customising the security headers added to responses