There seems to be a reluctance to implement HSTS (and CSP) across all of Monzo’s web hostnames. Maybe something has been built that will break if HSTS is added. neither is a silver bullet, but they are baseline application security configuration matters.