X-Frame-Optionsヘッダー実装

ecs/jskult-webapp/src/controller/bio_api.py

@@ -79,7 +79,9 @@ def search_bio_data(
         'data': data,
         'count': bio_sales_lot_count
     })
-
+    
+    # X-Frame-Optionsヘッダー追加
+    json_response.headers['X-Frame-Options'] = 'DENY'  
     # X-Content-Type-Optionsヘッダー追加
     json_response.headers['X-Content-Type-Options'] = 'nosniff'
     # Strict-Transport-Securityヘッダー追加
@@ -161,6 +163,8 @@ async def download_bio_data(
         'download_url': download_file_url
     })
 
+    # X-Frame-Optionsヘッダー追加
+    json_response.headers['X-Frame-Options'] = 'DENY'    
     # X-Content-Type-Optionsヘッダー追加
     json_response.headers['X-Content-Type-Options'] = 'nosniff'
     # Strict-Transport-Securityヘッダー追加

ecs/jskult-webapp/src/controller/login.py

@@ -114,6 +114,8 @@ def login(
         headers={'session_key': session_key}
     )
 
+    # X-Frame-Optionsヘッダー追加
+    response.headers['X-Frame-Options'] = 'DENY'
     # X-Content-Type-Optionsヘッダー追加
     response.headers['X-Content-Type-Options'] = 'nosniff'
     # Strict-Transport-Securityヘッダー追加
@@ -179,6 +181,8 @@ def sso_authorize(
         headers={'session_key': session_key}
     )
     
+    # X-Frame-Optionsヘッダー追加
+    response.headers['X-Frame-Options'] = 'DENY'
     # X-Content-Type-Optionsヘッダー追加
     response.headers['X-Content-Type-Options'] = 'nosniff'
     # Strict-Transport-Securityヘッダー追加

ecs/jskult-webapp/src/controller/logout.py

@@ -54,6 +54,8 @@ def logout_view(
     if session:
         session_service.delete_session(session)
 
+    # X-Frame-Optionsヘッダー追加
+    template_response.headers['X-Frame-Options'] = 'DENY'
     # X-Content-Type-Optionsヘッダー追加
     template_response.headers['X-Content-Type-Options'] = 'nosniff'
     # Strict-Transport-Securityヘッダー追加

ecs/jskult-webapp/src/router/session_router.py

@@ -104,6 +104,8 @@ class AfterSetCookieSessionRoute(MeDaCaRoute):
     async def post_process_route(self, request: Request, response: Response):
         response = await super().post_process_route(request, response)
 
+        # X-Frame-Optionsヘッダー追加
+        response.headers['X-Frame-Options'] = 'DENY'
         # X-Content-Type-Optionsヘッダー追加
         response.headers['X-Content-Type-Options'] = 'nosniff'
         # Strict-Transport-Securityヘッダー追加

ecs/jskult-webapp/src/templates/_header.html

@@ -3,21 +3,9 @@
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <meta http-equiv="content-type" content="text/html; charset=utf-8" />
 <meta name="format-detection" content="telephone=no, address=no" />
-
-<!--HSTSヘッダーサブドメインに含む一年間(31536000秒)HTTPS強制-->
-<meta http-equiv="Strict-Transport-Security" content="
-    max-age=31536000 includeSubDomains
-    ">
-<!-- MIME-sniffing対策にX-Content-Type-Optionsヘッダー設定 -->
-<meta http-equiv="X-Content-Type-Options" content="nosniff">
-<!-- キャッシュ制御のためCache-Controlヘッダー設定 -->
-<meta http-equiv="Cache-Control" content="private">
-
 <title>{{subtitle}}</title>
-<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0-alpha1/dist/css/bootstrap.min.css"
-    integrity="sha384-GLhlTQ8iRABdZLl6O3oVMWSktQOp6b7In1Zl3/Jr59b6EGGoI1aFkw7cmDA6j6gD" crossorigin="anonymous">
-<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.10.2/font/bootstrap-icons.css"
-    integrity="sha384-b6lVK+yci+bfDmaY1u0zE8YYJt0TZxLEAFyYSLHId4xoVvsrQu3INevFKo+Xir8e" crossorigin="anonymous">
+<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0-alpha1/dist/css/bootstrap.min.css" integrity="sha384-GLhlTQ8iRABdZLl6O3oVMWSktQOp6b7In1Zl3/Jr59b6EGGoI1aFkw7cmDA6j6gD" crossorigin="anonymous">
+<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.10.2/font/bootstrap-icons.css" integrity="sha384-b6lVK+yci+bfDmaY1u0zE8YYJt0TZxLEAFyYSLHId4xoVvsrQu3INevFKo+Xir8e" crossorigin="anonymous">
 <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/flatpickr/dist/flatpickr.min.css">
 <link rel="stylesheet" href="/static/css/main_theme.css">
 <link rel="stylesheet" href="/static/css/pagenation.css">