Introduce HSTS header for https_only conf
Change-Id: If2aafcda5478cdfc91a65220542e420ca6893e07
diff --git a/Changes b/Changes
index 271cf05..e991976 100755
--- a/Changes
+++ b/Changes
@@ -9,6 +9,7 @@
- Establish CSP plugin.
- Added nonce helper to CSP plugin.
- Remove no-js class in nonced inline script.
+ - Introduce HSTS header for https_only conf.
0.40 2020-12-17
- Modernize ES and fix in-loops.
diff --git a/lib/Kalamar.pm b/lib/Kalamar.pm
index 4a2ae7c..a6c136e 100644
--- a/lib/Kalamar.pm
+++ b/lib/Kalamar.pm
@@ -81,6 +81,13 @@
# ... for cookie transport
$self->sessions->secure(1);
+
+ # For all pages
+ $self->hook(
+ before_dispatch => sub {
+ shift->res->headers->header('Strict-Transport-Security' => 'max-age=3600; includeSubDomains');
+ }
+ );
};
# Run the app from a subdirectory
diff --git a/t/subfolder.t b/t/subfolder.t
index 5731e13..d13fdc1 100644
--- a/t/subfolder.t
+++ b/t/subfolder.t
@@ -27,6 +27,7 @@
->element_exists('input[name=handle][value=test]')
->element_exists_not('div.button.top a')
->attr_is('body','data-korap-url','')
+ ->header_exists_not('Strict-Transport-Security')
;
is('kalamar',$t->app->sessions->cookie_name);
@@ -41,7 +42,9 @@
$t->post_ok('/user/login' => form => { handle => 'test', pwd => 'fail' })
->status_is(302)
- ->header_is('Location' => '/');
+ ->header_is('Location' => '/')
+ ->header_is('Strict-Transport-Security', 'max-age=3600; includeSubDomains')
+ ;
$t->get_ok('/')
->status_is(200)