Introduce HSTS header for https_only conf

Change-Id: If2aafcda5478cdfc91a65220542e420ca6893e07
diff --git a/Changes b/Changes
index 271cf05..e991976 100755
--- a/Changes
+++ b/Changes
@@ -9,6 +9,7 @@
         - Establish CSP plugin.
         - Added nonce helper to CSP plugin.
         - Remove no-js class in nonced inline script.
+        - Introduce HSTS header for https_only conf.
 
 0.40 2020-12-17
         - Modernize ES and fix in-loops.
diff --git a/lib/Kalamar.pm b/lib/Kalamar.pm
index 4a2ae7c..a6c136e 100644
--- a/lib/Kalamar.pm
+++ b/lib/Kalamar.pm
@@ -81,6 +81,13 @@
 
     # ... for cookie transport
     $self->sessions->secure(1);
+
+    # For all pages
+    $self->hook(
+      before_dispatch => sub {
+        shift->res->headers->header('Strict-Transport-Security' => 'max-age=3600; includeSubDomains');
+      }
+    );
   };
 
   # Run the app from a subdirectory
diff --git a/t/subfolder.t b/t/subfolder.t
index 5731e13..d13fdc1 100644
--- a/t/subfolder.t
+++ b/t/subfolder.t
@@ -27,6 +27,7 @@
   ->element_exists('input[name=handle][value=test]')
   ->element_exists_not('div.button.top a')
   ->attr_is('body','data-korap-url','')
+  ->header_exists_not('Strict-Transport-Security')
   ;
 
 is('kalamar',$t->app->sessions->cookie_name);
@@ -41,7 +42,9 @@
 
 $t->post_ok('/user/login' => form => { handle => 'test', pwd => 'fail' })
   ->status_is(302)
-  ->header_is('Location' => '/');
+  ->header_is('Location' => '/')
+  ->header_is('Strict-Transport-Security', 'max-age=3600; includeSubDomains')
+  ;
 
 $t->get_ok('/')
   ->status_is(200)