… should the Content Security Policy HTTP response header also not be defined on all TLS websites in Monzo’s portfolio? It can help reduce cross-site scripting risk, and missing security controls like this would be reported as a vulnerability in application security testing.