From 426426b278641e8f01a0ad8f1d4660341e09459e Mon Sep 17 00:00:00 2001
From: "nik.n" <nik.n@nds-tyo.co.jp>
Date: Wed, 24 Jan 2024 15:11:49 +0900
Subject: [PATCH] =?UTF-8?q?=E3=83=98=E3=83=83=E3=83=80=E3=83=BCCache-Contr?=
 =?UTF-8?q?ol=E3=83=BBX-Content-Type-Options=E3=83=BBStrict-Transport-Secu?=
 =?UTF-8?q?rity=E5=AE=9F=E8=A3=85?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ecs/jskult-webapp/src/controller/bio_api.py   | 16 +++++++++++
 ecs/jskult-webapp/src/controller/login.py     | 16 +++++++++++
 ecs/jskult-webapp/src/controller/logout.py    |  7 +++++
 .../src/router/session_router.py              |  8 ++++++
 ecs/jskult-webapp/src/templates/_header.html  | 27 +++++++------------
 5 files changed, 56 insertions(+), 18 deletions(-)

diff --git a/ecs/jskult-webapp/src/controller/bio_api.py b/ecs/jskult-webapp/src/controller/bio_api.py
index 2f96408a..d907fd70 100644
--- a/ecs/jskult-webapp/src/controller/bio_api.py
+++ b/ecs/jskult-webapp/src/controller/bio_api.py
@@ -79,6 +79,14 @@ def search_bio_data(
         'data': data,
         'count': bio_sales_lot_count
     })
+
+    # X-Content-Type-Optionsヘッダー追加
+    json_response.headers['X-Content-Type-Options'] = 'nosniff'
+    # Strict-Transport-Securityヘッダー追加
+    json_response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
+    # Cache-Controlヘッダー追加
+    json_response.headers['Cache-Control'] = 'private'
+    
     # クッキーも書き換え
     json_response.set_cookie(
         key='session',
@@ -152,6 +160,14 @@ async def download_bio_data(
         'status': 'ok',
         'download_url': download_file_url
     })
+
+    # X-Content-Type-Optionsヘッダー追加
+    json_response.headers['X-Content-Type-Options'] = 'nosniff'
+    # Strict-Transport-Securityヘッダー追加
+    json_response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
+    # Cache-Controlヘッダー追加
+    json_response.headers['Cache-Control'] = 'private'
+    
     json_response.set_cookie(
         key='session',
         value=session.session_key,
diff --git a/ecs/jskult-webapp/src/controller/login.py b/ecs/jskult-webapp/src/controller/login.py
index c8a5663c..3edf877d 100644
--- a/ecs/jskult-webapp/src/controller/login.py
+++ b/ecs/jskult-webapp/src/controller/login.py
@@ -113,6 +113,14 @@ def login(
         status_code=status.HTTP_303_SEE_OTHER,
         headers={'session_key': session_key}
     )
+
+    # X-Content-Type-Optionsヘッダー追加
+    response.headers['X-Content-Type-Options'] = 'nosniff'
+    # Strict-Transport-Securityヘッダー追加
+    response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
+    # Cache-Controlヘッダー追加
+    response.headers['Cache-Control'] = 'private'
+
     return response
 
 
@@ -170,4 +178,12 @@ def sso_authorize(
         status_code=status.HTTP_303_SEE_OTHER,
         headers={'session_key': session_key}
     )
+    
+    # X-Content-Type-Optionsヘッダー追加
+    response.headers['X-Content-Type-Options'] = 'nosniff'
+    # Strict-Transport-Securityヘッダー追加
+    response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
+    # Cache-Controlヘッダー追加
+    response.headers['Cache-Control'] = 'private'
+
     return response
diff --git a/ecs/jskult-webapp/src/controller/logout.py b/ecs/jskult-webapp/src/controller/logout.py
index 76d9ef60..c11e10d0 100644
--- a/ecs/jskult-webapp/src/controller/logout.py
+++ b/ecs/jskult-webapp/src/controller/logout.py
@@ -54,4 +54,11 @@ def logout_view(
     if session:
         session_service.delete_session(session)
 
+    # X-Content-Type-Optionsヘッダー追加
+    template_response.headers['X-Content-Type-Options'] = 'nosniff'
+    # Strict-Transport-Securityヘッダー追加
+    template_response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
+    # Cache-Controlヘッダー追加
+    template_response.headers['Cache-Control'] = 'private'
+
     return template_response
diff --git a/ecs/jskult-webapp/src/router/session_router.py b/ecs/jskult-webapp/src/router/session_router.py
index a4a28e25..4f6ffe2f 100644
--- a/ecs/jskult-webapp/src/router/session_router.py
+++ b/ecs/jskult-webapp/src/router/session_router.py
@@ -103,6 +103,14 @@ class AfterSetCookieSessionRoute(MeDaCaRoute):
     """事後処理として、セッションキーをcookieに設定するカスタムルートハンドラー"""
     async def post_process_route(self, request: Request, response: Response):
         response = await super().post_process_route(request, response)
+
+        # X-Content-Type-Optionsヘッダー追加
+        response.headers['X-Content-Type-Options'] = 'nosniff'
+        # Strict-Transport-Securityヘッダー追加
+        response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
+        # Cache-Controlヘッダー追加
+        response.headers['Cache-Control'] = 'private'
+
         session_key = response.headers.get('session_key', None)
         # セッションキーがない場合はセットせずに返す
         if session_key is None:
diff --git a/ecs/jskult-webapp/src/templates/_header.html b/ecs/jskult-webapp/src/templates/_header.html
index 920d0beb..458df9fb 100644
--- a/ecs/jskult-webapp/src/templates/_header.html
+++ b/ecs/jskult-webapp/src/templates/_header.html
@@ -1,15 +1,9 @@
 <meta charset="utf-8">
 <meta http-equiv="X-UA-Compatible" content="IE=edge">
 <meta name="viewport" content="width=device-width, initial-scale=1">
-<meta name="format-detection" content="telephone=no, address=no" http-equiv="content-type"
-    content="text/html; charset=utf-8" />
+<meta http-equiv="content-type" content="text/html; charset=utf-8" />
+<meta name="format-detection" content="telephone=no, address=no" />
 
-<!--CSPヘッダー、ローカルでのテストはContent-Security-Policy->Content-Security-Policy-Report-Onlyに変更-->
-<meta http-equiv="Content-Security-Policy" content="
-    default-src 'self' https://cdn.jsdelivr.net;
-    style-src 'self' https://cdn.jsdelivr.net 'sha384-GLhlTQ8iRABdZLl6O3oVMWSktQOp6b7In1Zl3/Jr59b6EGGoI1aFkw7cmDA6j6gD' 'sha384-b6lVK+yci+bfDmaY1u0zE8YYJt0TZxLEAFyYSLHId4xoVvsrQu3INevFKo+Xir8e';
-    script-src 'self' https://code.jquery.com https://cdn.jsdelivr.net https://pagination.js.org 'sha256-pvPw+upLPUjgMXY0G+8O0xUf+/Im1MZjXxxgOcBQBXU=' 'sha384-w76AqPfDkMBDXo30jS1Sgez6pr3x5MlQ1ZAGC+nuZB+EYdgRZgiwxhTBTkF7CXvN';
-    ">
 <!--HSTSヘッダーサブドメインに含む一年間(31536000秒)HTTPS強制-->
 <meta http-equiv="Strict-Transport-Security" content="
     max-age=31536000 includeSubDomains
@@ -29,13 +23,10 @@
 <link rel="stylesheet" href="/static/css/pagenation.css">
 <link rel="stylesheet" href="/static/css/datepicker.css">
 <link rel="stylesheet" href="/static/css/loading.css">
-<script src="https://code.jquery.com/jquery-3.6.3.min.js"
-    integrity="sha256-pvPw+upLPUjgMXY0G+8O0xUf+/Im1MZjXxxgOcBQBXU=" crossorigin="anonymous"></script>
-<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0-alpha1/dist/js/bootstrap.bundle.min.js"
-    integrity="sha384-w76AqPfDkMBDXo30jS1Sgez6pr3x5MlQ1ZAGC+nuZB+EYdgRZgiwxhTBTkF7CXvN"
-    crossorigin="anonymous"></script>
-<script src="https://pagination.js.org/dist/2.5.0/pagination.min.js" crossorigin="anonymous"></script>
-<script src="https://cdn.jsdelivr.net/npm/flatpickr@4.6.13/dist/flatpickr.min.js"></script>
-<script src="https://cdn.jsdelivr.net/npm/flatpickr/dist/l10n/ja.min.js"></script>
-<script src="/static/function/businessLogicScript.js"></script>
-<script src="/static/lib/fixed_midashi.js"></script>
\ No newline at end of file
+<script src="https://code.jquery.com/jquery-3.6.3.min.js" integrity="sha256-pvPw+upLPUjgMXY0G+8O0xUf+/Im1MZjXxxgOcBQBXU=" crossorigin="anonymous"></script>
+<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0-alpha1/dist/js/bootstrap.bundle.min.js" integrity="sha384-w76AqPfDkMBDXo30jS1Sgez6pr3x5MlQ1ZAGC+nuZB+EYdgRZgiwxhTBTkF7CXvN" crossorigin="anonymous"></script>
+<script src="https://pagination.js.org/dist/2.5.0/pagination.min.js" integrity="sha384-hAMOwOF47ClZBKl6rGGjHx8uo+4cTDSUT97JzDVolMwHHNG+2CkQH3yAv8Js08o0" crossorigin="anonymous"></script>
+<script src="https://cdn.jsdelivr.net/npm/flatpickr@4.6.13/dist/flatpickr.min.js" integrity="sha384-5JqMv4L/Xa0hfvtF06qboNdhvuYXUku9ZrhZh3bSk8VXF0A/RuSLHpLsSV9Zqhl6" crossorigin="anonymous"></script>
+<script src="https://cdn.jsdelivr.net/npm/flatpickr/dist/l10n/ja.min.js" integrity="sha384-camx8EVof9bxBiCoveSA0vaNCuM6kzDC/01eqIoob2qT6wjBN7UP+qQmYOS3mN1x" crossorigin="anonymous"></script>
+<script src="/static/function/businessLogicScript.js" integrity="sha384-ytd1o7Rx4BPzjO3RpzR9fW/Z4avGzS7+BRPZVUsQp5X4zXB6xdZpR47/En1mNl7s" crossorigin="anonymous"></script>
+<script src="/static/lib/fixed_midashi.js" integrity="sha384-mCd6L3DNaLgUWyH051BywJfzlVavCkK6F0wbMqG+j7jAq174Uf7HJdq3H4wxCJKs" crossorigin="anonymous"></script>
\ No newline at end of file