CSP/HSTS/HPKP (security headers) on Monzo.me


#1

This is not so much a bug report as a question.

Why is HSTS not deployed on monzo.me? It’s a system that pretty much has to be completely secure considering what it handles. I’d say it’s a big target.

Without HSTS the site is vulnerable to sslstrip attacks and similar. Some kind of certificate pinning is really needed.

HSTS is of course a trust-on-first-connection system, so you could even go further and include the certificate directly in major browsers, but HSTS is a must at minimum.


#2

Excellent question. And, although less important, the same header should be used across other TLS websites in Monzo’s portfolio, since a phishing attack might target trust in the blog or community site, and then provide a link to a fake monzo.me site.

Warning: you may get push back from some community members about reporting anything that is a security vulnerability as a bug, although there is no other more appropriate topic. But this missing header would appear as an issue in any application security vulnerability assessment Thank you for raising this.


(Alex Sherwood) #3

For the record, I can’t remember seeing that happen in this community so I certainly wouldn’t worry about posting these sorts of questions.

The only thing I would say it’s probably better to have this type of discussion in the developer’s Slack channel. As it’s easier to have a quick back & forth conversation with the members of the team who deal with this sort of thing there + the average non-techy user will probably have no idea what you’re on about here :wink:


(James Billingham) #4

This (and the related CSP conversation) was a conscious initial decision made by Monzo - rather than an oversight. I raised it previously and @daniel made a few comments.

Though I don’t recall exactly what he said, he was already aware and basically I think it came down to a time/benefit balance. It doesn’t add a huge amount security-wise, although it is beneficial. It will likely be added at some point, along with HPKP.

I’m sure he’ll make a quick note if there is anything to add.


(James Billingham) #5

Actually this is the latest on the topic :slight_smile:

Thanks @daniel!


#6

Similar to this helpful topic about HSTS…

… should the Content Security Policy HTTP response header also not be defined on all TLS websites in Monzo’s portfolio? It can help reduce cross-site scripting risk, and missing security controls like this would be reported as a vulnerability in application security testing.


No HSTS
#7

HSTS has been deployed.


(Adam Williams) #8

+1 for a (useful) CSP polciy.

Useful would be excluding inline scripts - or at least requiring that they are nonce’d.


#9

it seems it hasn’t, at least not on https://monzo.com : https://www.ssllabs.com/ssltest/analyze.html?d=monzo.com&s=104.25.211.99&hideResults=on


(Mike) #10

This thread is about the monzo.me tld not monzo.com and thus you are correct - HSTS is only enabled on the .me domain. :+1:


#11

Yes, but I agree with @OBR, why shouldn’t it be done on the rest of the Monzo estate? An attack against Monzo.me could simply be started via a different Monzo site/domain the user trusts.


No HSTS
#16

Mike, [quote=“Mikeee, post:10, topic:8089”]
This thread is about the monzo.me tld not monzo.com and thus you are correct
[/quote]

@OBR didn’t post it to this thread. It was moved here by moderators. Hence it is confusing.


(Alex Sherwood) #17

For the record, I’m pretty sure that OBR’s post wasn’t moved here by one of the Leaders :slight_smile:


(Mike) #18

From my recollection the Monzo.com site is currently a set of static pages hosted on github pages which would explain the lack of HSTS implementation as I don’t believe github implements it.


#19

Github pages doesn’t implement HTTPS for custom domains at all.
Monzo are using a cloudflare proxy between the github pages site, and the users, which provides the HTTPS. So they should be perfectly able to add HSTS.


(Mike) #20

Someone’s probably just not yet flicked that toggle for HSTS in the CF menu
then it seems :slight_smile: