This post compares the security HTTP Headers used by different banks in Switzerland. securityheaders.io is used to test each of the websites. The website of each bank as well as the e-banking login was tested. securityheaders.io views the headers like any browser.
The tested security headers help protect against some of the possible attacks, especially during the protected session. I would have expected all the banks to reach at least a grade of A, but was surprised to find, even on the login pages, many websites are missing some of the basic ways of protecting the application.
Credit Suisse provide the best protection for the e-banking login, and Raiffeisen have the best usage of the security headers on the website. Strange that the Raiffeisen webpage is better protected than the Raiffeisen e-banking login.
Scott Helme explains each of the different headers here, and why you should use them:
- Content Security Policy
- HSTS
- X-Content-Type-Options
- Referrer Policy
- X-Xss-Protection
- X-Frame-Options
TEST RESULTS
Best A+, Worst F
e-banking
1. Grade A Credit Suisse
1. Grade A Basler Kantonalbank
3. Grade B Post Finance
3. Grade B Julius Bär
3. Grade B WIR Bank
3. Grade B DC Bank
3. Grade B Berner Kantonalbank
3. Grade B St. Galler Kantonalbank
3. Grade B Thurgauer Kantonalbank
3. Grade B J. Safra Sarasin
11. Grade C Raiffeisen
12. Grade D Zürcher Kantonalbank
13. Grade D UBS
14. Grade D Valiant
web
1. Grade A Raiffeisen
2. Grade A Credit Suisse
2. Grade A WIR Bank
2. Grade A J. Safra Sarasin
5. Grade A St. Galler Kantonalbank
6. Grade B Post Finance
6. Grade B Valiant
8. Grade C Julius Bär
9. Grade C Migros Bank
10. Grade D UBS
11. Grade D Zürcher Kantonalbank
12. Grade D Berner Kantonalbank
13. Grade F DC Bank
14. Grade F Thurgauer Kantonalbank
15. Grade F Basler Kantonalbank
TEST RESULTS DETAILS
UBS
This is one of the worst protected of all the bank e-banking logins tested. It is missing most of the security headers. The website is also missing most of the security headers.
The headers returned from the e-banking login is even worst than the D rating, as it is also missing the X-Frame-options protection.
cache-control →no-store, no-cache, must-revalidate, private connection →Keep-Alive content-encoding →gzip content-type →text/html;charset=UTF-8 date →Tue, 27 Mar 2018 11:46:15 GMT expires →Thu, 1 Jan 1970 00:00:00 GMT keep-alive →timeout=5, max=10 p3p →CP="OTI DSP CURa OUR LEG COM NAV INT" server →Apache strict-transport-security →max-age=31536000 transfer-encoding →chunked
No CSP is present here…
Credit Suisse
The Credit Suisse website and login are protected with most of the headers and have a good CSP. The no-referrer header is missing from the e-banking login and could be added.
https://www.credit-suisse.com/ch/en.html
CSP
default-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.credit-suisse.com *.credit-suisse.cspta.ch *.doubleclick.net *.decibelinsight.net *.mookie1.com *.demdex.net *.adnxs.com *.facebook.net *.google.com *.google-analytics.com *.googletagmanager.com *.google.ch *.googleapis.com *.youtube.com *.ytimg.com *.gstatic.com *.googlevideo.com *.twitter.com *.twimg.com *.qq.com *.omtrdc.net *.everesttech.net *.facebook.com *.adobedtm.com *.ads-twitter.com t.co *.licdn.com *.linkedin.com *.credit-suisse.wesit.rowini.net *.zemanta.com *.inbenta.com *.adobetag.com sc-static.net
The CORS header is present, but it allows all origins, which is a bit lax, but CORS is not really a securtiy feature. I think is still should be more strict.
https://direct.credit-suisse.com/dn/c/cls/auth?language=en
CSP
default-src dnmb: 'self' *.credit-suisse.com *.directnet.com *.nab.ch; script-src dnmb: 'self' 'unsafe-inline' 'unsafe-eval' *.credit-suisse.com *.directnet.com *.nab.ch ; style-src 'self' 'unsafe-inline' *.credit-suisse.com *.directnet.com *.nab.ch; img-src 'self' http://img.youtube.com data: *.credit-suisse.com *.directnet.com *.nab.ch; connect-src 'self' wss: ; font-src 'self' data:
Raiffeisen
The Raiffeisen website is the best protected of all the tested banks. The e-banking could be improved.
https://www.raiffeisen.ch/rch/de.html
CSP
This is pretty good, but it allows unsafe-eval, probably due to the javascript lib used to implement the UI. This could be improved.
Security-Policy default-src 'self' ; script-src 'self' 'unsafe-inline' 'unsafe-eval' assets.adobedtm.com maps.googleapis.com login.raiffeisen.ch ; style-src 'self' 'unsafe-inline' fonts.googleapis.com ; img-src 'self' statistics.raiffeisen.ch dmp.adform.net maps.googleapis.com maps.gstatic.com csi.gstatic.com khms0.googleapis.com khms1.googleapis.com www.homegate.ch dpm.demdex.net raiffeisen.demdex.net ; font-src 'self' fonts.googleapis.com fonts.gstatic.com ; connect-src 'self' api.raiffeisen.ch statistics.raiffeisen.ch www.homegate.ch prod1.solid.rolotec.ch dpm.demdex.net login.raiffeisen.ch ; media-src 'self' ruz.ch ; child-src * ; frame-src * ;
https://ebanking.raiffeisen.ch/
Zürcher Kantonalbank
The website is pretty bad. It has a mis-configuration in the X-Frame-Options. The e-banking login is missing most of the headers.
https://onba.zkb.ch/page/logon/logon.page
Post Finance
Post Finance is missing the CSP header and the no-referrer header in both the website and the login. This could be improved.
https://www.postfinance.ch/de/privat.html
https://www.postfinance.ch/ap/ba/fp/html/e-finance/home?login
Julius Bär
Julius Bär is missing the CSP header and the no-referrer header for the e-banking login, and the X-Frame-Options is also missing from the website.
https://www.juliusbaer.com/global/en/home/
https://ebanking.juliusbaer.com/bjbLogin/login?lang=en
Migros Bank
The website is missing a lot of headers as well.
https://www.migrosbank.ch/de/privatpersonen.html
Migro Bank provided no login link from the browser.
WIR Bank
The WIR bank have one of the best websites, and is missing the the no-referrer header. It’s e-banking solution is missing both a CSP Header as well as a referrer policy. Here the website is more secure than the e-banking, strange.
CSP
frame-ancestors 'self' https://www.jobs.ch;
https://wwwsec.wir.ch/authen/login?lang=de
DC Bank
The DC Bank is missing all the security headers on the website. This could really be improved! The e-banking is better, but missing the CSP and the referrer policies.
https://banking.dcbank.ch/login/login.jsf?bank=74&lang=de&path=layout/dcb
Basler Kantonalbank
This is an interesting test. Basler Kantonalbank has a no security headers in the website, and even an incorrect X-Frame-Options. The e-banking is good, but missing the no-referrer policy. So it has the best and the worst of the banks tested.
https://login.bkb.ch/auth/login
CSP
default-src https://*.bkb.ch https://*.mybkb.ch; img-src data: https://*.bkb.ch https://*.mybkb.ch; script-src 'unsafe-inline' 'unsafe-eval' https://*.bkb.ch https://*.mybkb.ch; style-src https://*.bkb.ch https://*.mybkb.ch 'unsafe-inline';
Berner Kantonalbank
The Berner Kantonalbank has implemented 2 security headers on the website , but is missing the HSTS header. The e-banking is missing 2 of the security headers, no-referrer policy and the CSP.
CSP
frame-ancestors 'self'
https://banking.bekb.ch/login/login.jsf?bank=5&lang=de&path=layout/bekb
Valiant
Valiant has one of the better websites, but the worst e-banking concerning the security headers. Only has the X-Frame-Options supported.
https://www.valiant.ch/privatkunden
https://wwwsec.valiant.ch/authen/login
St. Galler Kantonalbank
The website is an A-Grade, but missing 2 headers, the X-Frame-Options and the no-referrer header. The e-banking is less protected compared to the website, has a grade B. It is missing the CSP and the referrer policy.
CSP
default-src 'self' 'unsafe-inline' 'unsafe-eval' recruitingapp-1154.umantis.com *.googleapis.com *.gstatic.com prod1.solid.rolotec.ch beta.idisign.ch test.idisign.ch dis.swisscom.ch www.newhome.ch www.wuestpartner.com; img-src * data: android-webview-video-poster:; font-src * data:
https://www.onba.ch/login/login
Thurgauer Kantonalbank
The Thurgauer website is missing all the security headers, not even the HSTS supported, and the e-banking is missing the CSP and the no-referrer headers.
https://banking.tkb.ch/login/login
J. Safra Sarasin
J. Safra Sarasin website uses most security headers, it is only missing the no-referrer header. The e-banking webite is missing the CSP and the referrer headers.
CSP
frame-ancestors 'self'
https://ebanking-ch.jsafrasarasin.com/ebankingLogin/login
It would be nice if the this part of the security could be improved for all of these websites.
Did you notify the banks with your findings?
I included them in a tweet about this
Awesome, I’d love to see ZKB improve.
[…] Comparing the HTTPS Security Headers of Swiss banks (Damien Bowden) […]
Thanks for the adding of our company and the publishing of your findings. You seem to have mixed up TKB and SGKB. The correct e-banking-URL for SGKB would be https://www.onba.ch/login/login (not banking.tkb.ch).
Best, Roger Signer, SGKB
Thanks for the feedback. I will fix it now.
Hi Roger
Updated. Thanks again for the feedback.
Greetings Damien
[…] La comparaison de l’utilisation des entêtes de sécurité HTTP des banques suisses. […]