ヘッダーCache-Control・X-Content-Type-Options・Strict-Transport-Security実装

2024-01-24 15:11:49 +09:00 · 2024-01-24 15:11:49 +09:00 · 426426b278
commit 426426b278
parent 484e77abc7
5 changed files with 56 additions and 18 deletions
--- a/ecs/jskult-webapp/src/controller/bio_api.py
+++ b/ecs/jskult-webapp/src/controller/bio_api.py
@ -79,6 +79,14 @@ def search_bio_data(
        'data': data,
        'count': bio_sales_lot_count
    })
+
+    # X-Content-Type-Optionsヘッダー追加
+    json_response.headers['X-Content-Type-Options'] = 'nosniff'
+    # Strict-Transport-Securityヘッダー追加
+    json_response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
+    # Cache-Controlヘッダー追加
+    json_response.headers['Cache-Control'] = 'private'
+    
    # クッキーも書き換え
    json_response.set_cookie(
        key='session',
@ -152,6 +160,14 @@ async def download_bio_data(
        'status': 'ok',
        'download_url': download_file_url
    })
+
+    # X-Content-Type-Optionsヘッダー追加
+    json_response.headers['X-Content-Type-Options'] = 'nosniff'
+    # Strict-Transport-Securityヘッダー追加
+    json_response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
+    # Cache-Controlヘッダー追加
+    json_response.headers['Cache-Control'] = 'private'
+    
    json_response.set_cookie(
        key='session',
        value=session.session_key,
--- a/ecs/jskult-webapp/src/controller/login.py
+++ b/ecs/jskult-webapp/src/controller/login.py
@ -113,6 +113,14 @@ def login(
        status_code=status.HTTP_303_SEE_OTHER,
        headers={'session_key': session_key}
    )
+
+    # X-Content-Type-Optionsヘッダー追加
+    response.headers['X-Content-Type-Options'] = 'nosniff'
+    # Strict-Transport-Securityヘッダー追加
+    response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
+    # Cache-Controlヘッダー追加
+    response.headers['Cache-Control'] = 'private'
+
    return response


@ -170,4 +178,12 @@ def sso_authorize(
        status_code=status.HTTP_303_SEE_OTHER,
        headers={'session_key': session_key}
    )
+    
+    # X-Content-Type-Optionsヘッダー追加
+    response.headers['X-Content-Type-Options'] = 'nosniff'
+    # Strict-Transport-Securityヘッダー追加
+    response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
+    # Cache-Controlヘッダー追加
+    response.headers['Cache-Control'] = 'private'
+
    return response
--- a/ecs/jskult-webapp/src/controller/logout.py
+++ b/ecs/jskult-webapp/src/controller/logout.py
@ -54,4 +54,11 @@ def logout_view(
    if session:
        session_service.delete_session(session)

+    # X-Content-Type-Optionsヘッダー追加
+    template_response.headers['X-Content-Type-Options'] = 'nosniff'
+    # Strict-Transport-Securityヘッダー追加
+    template_response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
+    # Cache-Controlヘッダー追加
+    template_response.headers['Cache-Control'] = 'private'
+
    return template_response
--- a/ecs/jskult-webapp/src/router/session_router.py
+++ b/ecs/jskult-webapp/src/router/session_router.py
@ -103,6 +103,14 @@ class AfterSetCookieSessionRoute(MeDaCaRoute):
    """事後処理として、セッションキーをcookieに設定するカスタムルートハンドラー"""
    async def post_process_route(self, request: Request, response: Response):
        response = await super().post_process_route(request, response)
+
+        # X-Content-Type-Optionsヘッダー追加
+        response.headers['X-Content-Type-Options'] = 'nosniff'
+        # Strict-Transport-Securityヘッダー追加
+        response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
+        # Cache-Controlヘッダー追加
+        response.headers['Cache-Control'] = 'private'
+
        session_key = response.headers.get('session_key', None)
        # セッションキーがない場合はセットせずに返す
        if session_key is None:
--- a/ecs/jskult-webapp/src/templates/_header.html
+++ b/ecs/jskult-webapp/src/templates/_header.html
@ -1,15 +1,9 @@
 <meta charset="utf-8">
 <meta http-equiv="X-UA-Compatible" content="IE=edge">
 <meta name="viewport" content="width=device-width, initial-scale=1">
-<meta name="format-detection" content="telephone=no, address=no" http-equiv="content-type"
-    content="text/html; charset=utf-8" />
+<meta http-equiv="content-type" content="text/html; charset=utf-8" />
+<meta name="format-detection" content="telephone=no, address=no" />

-<!--CSPヘッダー、ローカルでのテストはContent-Security-Policy->Content-Security-Policy-Report-Onlyに変更-->
-<meta http-equiv="Content-Security-Policy" content="
-    default-src 'self' https://cdn.jsdelivr.net;
-    style-src 'self' https://cdn.jsdelivr.net 'sha384-GLhlTQ8iRABdZLl6O3oVMWSktQOp6b7In1Zl3/Jr59b6EGGoI1aFkw7cmDA6j6gD' 'sha384-b6lVK+yci+bfDmaY1u0zE8YYJt0TZxLEAFyYSLHId4xoVvsrQu3INevFKo+Xir8e';
-    script-src 'self' https://code.jquery.com https://cdn.jsdelivr.net https://pagination.js.org 'sha256-pvPw+upLPUjgMXY0G+8O0xUf+/Im1MZjXxxgOcBQBXU=' 'sha384-w76AqPfDkMBDXo30jS1Sgez6pr3x5MlQ1ZAGC+nuZB+EYdgRZgiwxhTBTkF7CXvN';
-    ">
 <!--HSTSヘッダーサブドメインに含む一年間(31536000秒)HTTPS強制-->
 <meta http-equiv="Strict-Transport-Security" content="
    max-age=31536000 includeSubDomains
@ -29,13 +23,10 @@
 <link rel="stylesheet" href="/static/css/pagenation.css">
 <link rel="stylesheet" href="/static/css/datepicker.css">
 <link rel="stylesheet" href="/static/css/loading.css">
-<script src="https://code.jquery.com/jquery-3.6.3.min.js"
-    integrity="sha256-pvPw+upLPUjgMXY0G+8O0xUf+/Im1MZjXxxgOcBQBXU=" crossorigin="anonymous"></script>
-<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0-alpha1/dist/js/bootstrap.bundle.min.js"
-    integrity="sha384-w76AqPfDkMBDXo30jS1Sgez6pr3x5MlQ1ZAGC+nuZB+EYdgRZgiwxhTBTkF7CXvN"
-    crossorigin="anonymous"></script>
-<script src="https://pagination.js.org/dist/2.5.0/pagination.min.js" crossorigin="anonymous"></script>
-<script src="https://cdn.jsdelivr.net/npm/flatpickr@4.6.13/dist/flatpickr.min.js"></script>
-<script src="https://cdn.jsdelivr.net/npm/flatpickr/dist/l10n/ja.min.js"></script>
-<script src="/static/function/businessLogicScript.js"></script>
-<script src="/static/lib/fixed_midashi.js"></script>
+<script src="https://code.jquery.com/jquery-3.6.3.min.js" integrity="sha256-pvPw+upLPUjgMXY0G+8O0xUf+/Im1MZjXxxgOcBQBXU=" crossorigin="anonymous"></script>
+<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0-alpha1/dist/js/bootstrap.bundle.min.js" integrity="sha384-w76AqPfDkMBDXo30jS1Sgez6pr3x5MlQ1ZAGC+nuZB+EYdgRZgiwxhTBTkF7CXvN" crossorigin="anonymous"></script>
+<script src="https://pagination.js.org/dist/2.5.0/pagination.min.js" integrity="sha384-hAMOwOF47ClZBKl6rGGjHx8uo+4cTDSUT97JzDVolMwHHNG+2CkQH3yAv8Js08o0" crossorigin="anonymous"></script>
+<script src="https://cdn.jsdelivr.net/npm/flatpickr@4.6.13/dist/flatpickr.min.js" integrity="sha384-5JqMv4L/Xa0hfvtF06qboNdhvuYXUku9ZrhZh3bSk8VXF0A/RuSLHpLsSV9Zqhl6" crossorigin="anonymous"></script>
+<script src="https://cdn.jsdelivr.net/npm/flatpickr/dist/l10n/ja.min.js" integrity="sha384-camx8EVof9bxBiCoveSA0vaNCuM6kzDC/01eqIoob2qT6wjBN7UP+qQmYOS3mN1x" crossorigin="anonymous"></script>
+<script src="/static/function/businessLogicScript.js" integrity="sha384-ytd1o7Rx4BPzjO3RpzR9fW/Z4avGzS7+BRPZVUsQp5X4zXB6xdZpR47/En1mNl7s" crossorigin="anonymous"></script>
+<script src="/static/lib/fixed_midashi.js" integrity="sha384-mCd6L3DNaLgUWyH051BywJfzlVavCkK6F0wbMqG+j7jAq174Uf7HJdq3H4wxCJKs" crossorigin="anonymous"></script>