UsingWW: Strict-Transport-Security in mojolicious

We just upgraded our server from 2.17 (Apache2) to 2.19 (mojolicious). I appreciate all the help I received here with it.

We passed the IT security scan, but my IT contact mentioned that the new 2.19 installation has been rated "only A" by ssllabs instead of the "A+" rating of the previous 2.17.
I was informed that HSTS (Strict-Transport-Security) configuration would increase security rating.

I installed Mojolicious::Plugin::SecurityHeader but I don't know how one could use it for WeBWorK.

Re: Strict-Transport-Security in mojolicious

by Glenn Rice - Friday, 17 January 2025, 10:41 PM

Add the lines

plugins:
- SecurityHeader:
- Strict-Transport-Security: -1

to your conf/webwork2.mojolicious.yml file.

Although, I can give no guarantee that the plugin will work.

Re: Strict-Transport-Security in mojolicious

by Glenn Rice - Friday, 17 January 2025, 11:11 PM

I couldn't get the plugin to work. However, there is a mechanism already built in to add extra headers to requests. If you set

extra_headers:
  '.*':
    Strict-Transport-Security: 'max-age=31536000'

that will add the Strict-Transport-Security header to all routes served by the webwork2 app.

I tested this approach, and was able to get this to work.

Re: Strict-Transport-Security in mojolicious

by Andras Balogh - Saturday, 18 January 2025, 12:16 AM

Yes, that worked. Fantastic! We have A+ rating now!

Thank you!

Using WeBWorK

Installation

Strict-Transport-Security in mojolicious

Strict-Transport-Security in mojolicious

Re: Strict-Transport-Security in mojolicious

Re: Strict-Transport-Security in mojolicious

Re: Strict-Transport-Security in mojolicious