diff --git a/CHANGELOG.md b/CHANGELOG.md
index 59f7df4..b0bc653 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # Changelog
 
+## Changes 12/13/2025 (v2.7.1)
+
+release(v2.7.1): harden share endpoint headers + suppress deprecated output
+
+- Replace deprecated FILTER_SANITIZE_STRING token/pass parsing with strict token validation
+- Add nosniff + no-cache + restrictive CSP to password prompt response
+- Buffer/suppress PHP notices (incl. E_DEPRECATED on PHP 8.4/Termux) in public/api/file/share.php so headers can’t be broken before streaming
+
+---
+
 ## Changes 12/13/2025 (v2.7.0)
 
 release(v2.7.0): fix critical SVG XSS on public share links
diff --git a/public/api/file/share.php b/public/api/file/share.php
index 9402b94..5d9d430 100644
--- a/public/api/file/share.php
+++ b/public/api/file/share.php
@@ -1,34 +1,21 @@
 <?php
-// public/api/file/share.php
+declare(strict_types=1);
 
-/**
- * @OA\Get(
- *   path="/api/file/share.php",
- *   summary="Open a shared file by token",
- *   description="If the link is password-protected and no password is supplied, an HTML password form is returned. Otherwise the file is streamed.",
- *   operationId="shareFile",
- *   tags={"Shares"},
- *   @OA\Parameter(name="token", in="query", required=true, @OA\Schema(type="string")),
- *   @OA\Parameter(name="pass", in="query", required=false, @OA\Schema(type="string")),
- *   @OA\Response(
- *     response=200,
- *     description="Binary file (or HTML password form when missing password)",
- *     content={
- *       "application/octet-stream": @OA\MediaType(
- *         mediaType="application/octet-stream",
- *         @OA\Schema(type="string", format="binary")
- *       ),
- *       "text/html": @OA\MediaType(mediaType="text/html")
- *     }
- *   ),
- *   @OA\Response(response=400, description="Missing token / invalid input"),
- *   @OA\Response(response=403, description="Expired or invalid password"),
- *   @OA\Response(response=404, description="Not found")
- * )
- */
+// Buffer any accidental output so headers still work
+if (ob_get_level() === 0) {
+    ob_start();
+}
+
+// Never leak notices/warnings into the response (breaks headers + can leak paths)
+ini_set('display_errors', '0');
+ini_set('display_startup_errors', '0');
+ini_set('html_errors', '0');
+ini_set('log_errors', '1');
+
+// Avoid deprecated notices being emitted at all (Termux/PHP 8.4+)
+error_reporting(E_ALL & ~E_DEPRECATED);
 
 require_once __DIR__ . '/../../../config/config.php';
 require_once PROJECT_ROOT . '/src/controllers/FileController.php';
 
-$fileController = new FileController();
-$fileController->shareFile();
\ No newline at end of file
+(new FileController())->shareFile();
\ No newline at end of file
diff --git a/scripts/manual-sync.sh b/scripts/manual-sync.sh
index bd0cc29..52d8ebb 100644
--- a/scripts/manual-sync.sh
+++ b/scripts/manual-sync.sh
@@ -2,7 +2,7 @@
 # === Update FileRise to v2.3.2 (safe rsync, no composer on demo) ===
 set -Eeuo pipefail
 
-VER="v2.3.2"
+VER="v2.7.1"
 ASSET="FileRise-${VER}.zip"      # matches GitHub release asset name
 
 WEBROOT="/var/www"
@@ -38,16 +38,16 @@ STAGE_DIR="$(find "$TMP" -maxdepth 1 -type d -name 'FileRise*' ! -path "$TMP" |
 #    - DO NOT touch filerise-site / bundles / demo config
 #    - DO NOT touch vendor/ so Stripe + other libs stay intact on demo
 rsync -a --delete \
-  --exclude='public/.htaccess' \
-  --exclude='uploads/***' \
-  --exclude='users/***' \
-  --exclude='metadata/***' \
-  --exclude='filerise-bundles/***' \
-  --exclude='filerise-config/***' \
-  --exclude='filerise-site/***' \
-  --exclude='vendor/***' \
-  --exclude='.github/***' \
-  --exclude='docker-compose.yml' \
+  --exclude='/public/.htaccess' \
+  --exclude='/uploads/***' \
+  --exclude='/users/***' \
+  --exclude='/metadata/***' \
+  --exclude='/filerise-bundles/***' \
+  --exclude='/filerise-config/***' \
+  --exclude='/filerise-site/***' \
+  --exclude='/vendor/***' \
+  --exclude='/.github/***' \
+  --exclude='/docker-compose.yml' \
   "$STAGE_DIR"/ "$WEBROOT"/
 
 # 4) Ownership (Ubuntu/Debian w/ Apache)
diff --git a/src/controllers/FileController.php b/src/controllers/FileController.php
index 6a1c5e4..4bc62c1 100644
--- a/src/controllers/FileController.php
+++ b/src/controllers/FileController.php
@@ -1641,13 +1641,14 @@ class FileController
 
     public function shareFile()
     {
-        $token        = filter_input(INPUT_GET, 'token', FILTER_SANITIZE_STRING);
-        $providedPass = filter_input(INPUT_GET, 'pass',   FILTER_SANITIZE_STRING);
+        $token        = trim((string)($_GET['token'] ?? ''));
+        $providedPass = (string)($_GET['pass'] ?? '');
 
-        if (empty($token)) {
+        // adjust if your token format differs
+        if ($token === '' || !preg_match('/^[a-f0-9]{32}$/i', $token)) {
             http_response_code(400);
             header('Content-Type: application/json; charset=utf-8');
-            echo json_encode(["error" => "Missing token."]);
+            echo json_encode(["error" => "Missing or invalid token."]);
             exit;
         }
 
@@ -1667,6 +1668,10 @@ class FileController
         }
 
         if (!empty($record['password']) && empty($providedPass)) {
+            header('X-Content-Type-Options: nosniff');
+            header('Cache-Control: no-store, no-cache, must-revalidate, max-age=0');
+            header('Pragma: no-cache');
+            header("Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'");
             header("Content-Type: text/html; charset=utf-8");
 ?>
             <!DOCTYPE html>