CSP/HSTS/HPKP (security headers) on Monzo.me

This is not so much a bug report as a question.

Why is HSTS not deployed on monzo.me? It’s a system that pretty much has to be completely secure considering what it handles. I’d say it’s a big target.

Without HSTS the site is vulnerable to sslstrip attacks and similar. Some kind of certificate pinning is really needed.

HSTS is of course a trust-on-first-connection system, so you could even go further and include the certificate directly in major browsers, but HSTS is a must at minimum.


Excellent question. And, although less important, the same header should be used across other TLS websites in Monzo’s portfolio, since a phishing attack might target trust in the blog or community site, and then provide a link to a fake monzo.me site.

Warning: you may get push back from some community members about reporting anything that is a security vulnerability as a bug, although there is no other more appropriate topic. But this missing header would appear as an issue in any application security vulnerability assessment Thank you for raising this.

For the record, I can’t remember seeing that happen in this community so I certainly wouldn’t worry about posting these sorts of questions.

The only thing I would say it’s probably better to have this type of discussion in the developer’s Slack channel. As it’s easier to have a quick back & forth conversation with the members of the team who deal with this sort of thing there + the average non-techy user will probably have no idea what you’re on about here :wink:

1 Like

This (and the related CSP conversation) was a conscious initial decision made by Monzo - rather than an oversight. I raised it previously and @daniel made a few comments.

Though I don’t recall exactly what he said, he was already aware and basically I think it came down to a time/benefit balance. It doesn’t add a huge amount security-wise, although it is beneficial. It will likely be added at some point, along with HPKP.

I’m sure he’ll make a quick note if there is anything to add.


Actually this is the latest on the topic :slight_smile:

Daniel's comment on the developer Slack

Thanks @daniel!


Similar to this helpful topic about HSTS…

… should the Content Security Policy HTTP response header also not be defined on all TLS websites in Monzo’s portfolio? It can help reduce cross-site scripting risk, and missing security controls like this would be reported as a vulnerability in application security testing.


HSTS has been deployed.


+1 for a (useful) CSP polciy.

Useful would be excluding inline scripts - or at least requiring that they are nonce’d.

1 Like

it seems it hasn’t, at least not on https://monzo.com : https://www.ssllabs.com/ssltest/analyze.html?d=monzo.com&s=

1 Like

This thread is about the monzo.me tld not monzo.com and thus you are correct - HSTS is only enabled on the .me domain. :+1:

Yes, but I agree with @OBR, why shouldn’t it be done on the rest of the Monzo estate? An attack against Monzo.me could simply be started via a different Monzo site/domain the user trusts.


Mike, [quote=“Mikeee, post:10, topic:8089”]
This thread is about the monzo.me tld not monzo.com and thus you are correct

@OBR didn’t post it to this thread. It was moved here by moderators. Hence it is confusing.

For the record, I’m pretty sure that OBR’s post wasn’t moved here by one of the Leaders :slight_smile:

From my recollection the Monzo.com site is currently a set of static pages hosted on github pages which would explain the lack of HSTS implementation as I don’t believe github implements it.

Github pages doesn’t implement HTTPS for custom domains at all.
Monzo are using a cloudflare proxy between the github pages site, and the users, which provides the HTTPS. So they should be perfectly able to add HSTS.


Someone’s probably just not yet flicked that toggle for HSTS in the CF menu
then it seems :slight_smile: