No HSTS


#1

Hi team, technical one but important considering you’re in the finance space.

Spotted on a hotspot today that https://theverge.com blocked me accessing the site due to HSTS but https://monzo.com allowed me still to connect and it probably​ shouldn’t.

Hope this feedback helps


#2

Thank you for raising this again.

There seems to be a reluctance to implement HSTS (and CSP) across all of Monzo’s web hostnames. Maybe something has been built that will break if HSTS is added. neither is a silver bullet, but they are baseline application security configuration matters.