Hi team, technical one but important considering you’re in the finance space.
Spotted on a hotspot today that https://theverge.com blocked me accessing the site due to HSTS but https://monzo.com allowed me still to connect and it probably shouldn’t.
There seems to be a reluctance to implement HSTS (and CSP) across all of Monzo’s web hostnames. Maybe something has been built that will break if HSTS is added. neither is a silver bullet, but they are baseline application security configuration matters.