Comparing the HTTPS Security Headers of Swiss banks

This post compares the security HTTP Headers used by different banks in Switzerland. is used to test each of the websites. The website of each bank as well as the e-banking login was tested. views the headers like any browser.

The tested security headers help protect against some of the possible attacks, especially during the protected session. I would have expected all the banks to reach at least a grade of A, but was surprised to find, even on the login pages, many websites are missing some of the basic ways of protecting the application.

Credit Suisse provide the best protection for the e-banking login, and Raiffeisen have the best usage of the security headers on the website. Strange that the Raiffeisen webpage is better protected than the Raiffeisen e-banking login.

Scott Helme explains each of the different headers here, and why you should use them:


Best A+, Worst F


1. Grade A Credit Suisse
1. Grade A Basler Kantonalbank
3. Grade B Post Finance
3. Grade B Julius Bär
3. Grade B WIR Bank
3. Grade B DC Bank
3. Grade B Berner Kantonalbank
3. Grade B St. Galler Kantonalbank
3. Grade B Thurgauer Kantonalbank
3. Grade B J. Safra Sarasin
11. Grade C Raiffeisen
12. Grade D Zürcher Kantonalbank
13. Grade D UBS
14. Grade D Valiant


1. Grade A Raiffeisen
2. Grade A Credit Suisse
2. Grade A WIR Bank
2. Grade A J. Safra Sarasin
5. Grade A St. Galler Kantonalbank
6. Grade B Post Finance
6. Grade B Valiant
8. Grade C Julius Bär
9. Grade C Migros Bank
10. Grade D UBS
11. Grade D Zürcher Kantonalbank
12. Grade D Berner Kantonalbank
13. Grade F DC Bank
14. Grade F Thurgauer Kantonalbank
15. Grade F Basler Kantonalbank



This is one of the worst protected of all the bank e-banking logins tested. It is missing most of the security headers. The website is also missing most of the security headers.

The headers returned from the e-banking login is even worst than the D rating, as it is also missing the X-Frame-options protection.

cache-control →no-store, no-cache, must-revalidate, private
connection →Keep-Alive
content-encoding →gzip
content-type →text/html;charset=UTF-8
date →Tue, 27 Mar 2018 11:46:15 GMT
expires →Thu, 1 Jan 1970 00:00:00 GMT
keep-alive →timeout=5, max=10
server →Apache
strict-transport-security →max-age=31536000
transfer-encoding →chunked

No CSP is present here…

Credit Suisse

The Credit Suisse website and login are protected with most of the headers and have a good CSP. The no-referrer header is missing from the e-banking login and could be added.


default-src 'self' 'unsafe-inline' 'unsafe-eval' data: * 
* * * 
* * * * * 
* * * * 
* * * * * 
* * * * * 
* * * * 
* * * 

The CORS header is present, but it allows all origins, which is a bit lax, but CORS is not really a securtiy feature. I think is still should be more strict.


default-src dnmb: 'self' * * *; 
script-src dnmb: 'self' 'unsafe-inline' 'unsafe-eval' * 
* * ; style-src 'self' 'unsafe-inline' * * *; img-src 'self' data: 
* * *; connect-src 'self' wss: ; 
font-src 'self' data:


The Raiffeisen website is the best protected of all the tested banks. The e-banking could be improved.


This is pretty good, but it allows unsafe-eval, probably due to the javascript lib used to implement the UI. This could be improved.

Security-Policy	default-src 'self' ; script-src 'self' 'unsafe-inline' 
'unsafe-eval' ;
 style-src 'self' 'unsafe-inline' ; img-src 'self' ; font-src 'self' ; connect-src 'self' ;
 media-src 'self' ; child-src * ; frame-src * ;

Zürcher Kantonalbank

The website is pretty bad. It has a mis-configuration in the X-Frame-Options. The e-banking login is missing most of the headers.

Post Finance

Post Finance is missing the CSP header and the no-referrer header in both the website and the login. This could be improved.

Julius Bär

Julius Bär is missing the CSP header and the no-referrer header for the e-banking login, and the X-Frame-Options is also missing from the website.

Migros Bank

The website is missing a lot of headers as well.

Migro Bank provided no login link from the browser.

WIR Bank

The WIR bank have one of the best websites, and is missing the the no-referrer header. It’s e-banking solution is missing both a CSP Header as well as a referrer policy. Here the website is more secure than the e-banking, strange.


frame-ancestors 'self';

DC Bank

The DC Bank is missing all the security headers on the website. This could really be improved! The e-banking is better, but missing the CSP and the referrer policies.

Basler Kantonalbank

This is an interesting test. Basler Kantonalbank has a no security headers in the website, and even an incorrect X-Frame-Options. The e-banking is good, but missing the no-referrer policy. So it has the best and the worst of the banks tested.


default-src https://* https://*; 
img-src data: https://* https://*; 
script-src 'unsafe-inline' 'unsafe-eval' 
https://* https://*; style-src 
https://* https://* 'unsafe-inline';

Berner Kantonalbank

The Berner Kantonalbank has implemented 2 security headers on the website , but is missing the HSTS header. The e-banking is missing 2 of the security headers, no-referrer policy and the CSP.


frame-ancestors 'self'


Valiant has one of the better websites, but the worst e-banking concerning the security headers. Only has the X-Frame-Options supported.

St. Galler Kantonalbank

The website is an A-Grade, but missing 2 headers, the X-Frame-Options and the no-referrer header. The e-banking is less protected compared to the website, has a grade B. It is missing the CSP and the referrer policy.


default-src 'self' 'unsafe-inline' 'unsafe-eval' 
* *; 
img-src * data: android-webview-video-poster:; font-src * data:

Thurgauer Kantonalbank

The Thurgauer website is missing all the security headers, not even the HSTS supported, and the e-banking is missing the CSP and the no-referrer headers.

J. Safra Sarasin

J. Safra Sarasin website uses most security headers, it is only missing the no-referrer header. The e-banking webite is missing the CSP and the referrer headers.


frame-ancestors 'self'

It would be nice if the this part of the security could be improved for all of these websites.


  1. Did you notify the banks with your findings?

    1. I included them in a tweet about this

      1. Awesome, I’d love to see ZKB improve.

  2. […] Comparing the HTTPS Security Headers of Swiss banks (Damien Bowden) […]

  3. Thanks for the adding of our company and the publishing of your findings. You seem to have mixed up TKB and SGKB. The correct e-banking-URL for SGKB would be (not
    Best, Roger Signer, SGKB

    1. Thanks for the feedback. I will fix it now.

      1. Hi Roger

        Updated. Thanks again for the feedback.

        Greetings Damien

  4. […] La comparaison de l’utilisation des entêtes de sécurité HTTP des banques suisses. […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: