This post compares the security HTTP Headers used by different banks in Switzerland. securityheaders.io is used to test each of the websites. The website of each bank as well as the e-banking login was tested. securityheaders.io views the headers like any browser.
The tested security headers help protect against some of the possible attacks, especially during the protected session. I would have expected all the banks to reach at least a grade of A, but was surprised to find, even on the login pages, many websites are missing some of the basic ways of protecting the application.
Credit Suisse provide the best protection for the e-banking login, and Raiffeisen have the best usage of the security headers on the website. Strange that the Raiffeisen webpage is better protected than the Raiffeisen e-banking login.
Scott Helme explains each of the different headers here, and why you should use them:
- Content Security Policy
- Referrer Policy
Best A+, Worst F
1. Grade A Credit Suisse
1. Grade A Basler Kantonalbank
3. Grade B Post Finance
3. Grade B Julius Bär
3. Grade B WIR Bank
3. Grade B DC Bank
3. Grade B Berner Kantonalbank
3. Grade B St. Galler Kantonalbank
3. Grade B Thurgauer Kantonalbank
3. Grade B J. Safra Sarasin
11. Grade C Raiffeisen
12. Grade D Zürcher Kantonalbank
13. Grade D UBS
14. Grade D Valiant
1. Grade A Raiffeisen
2. Grade A Credit Suisse
2. Grade A WIR Bank
2. Grade A J. Safra Sarasin
5. Grade A St. Galler Kantonalbank
6. Grade B Post Finance
6. Grade B Valiant
8. Grade C Julius Bär
9. Grade C Migros Bank
10. Grade D UBS
11. Grade D Zürcher Kantonalbank
12. Grade D Berner Kantonalbank
13. Grade F DC Bank
14. Grade F Thurgauer Kantonalbank
15. Grade F Basler Kantonalbank
TEST RESULTS DETAILS
This is one of the worst protected of all the bank e-banking logins tested. It is missing most of the security headers. The website is also missing most of the security headers.
The headers returned from the e-banking login is even worst than the D rating, as it is also missing the X-Frame-options protection.
cache-control →no-store, no-cache, must-revalidate, private connection →Keep-Alive content-encoding →gzip content-type →text/html;charset=UTF-8 date →Tue, 27 Mar 2018 11:46:15 GMT expires →Thu, 1 Jan 1970 00:00:00 GMT keep-alive →timeout=5, max=10 p3p →CP="OTI DSP CURa OUR LEG COM NAV INT" server →Apache strict-transport-security →max-age=31536000 transfer-encoding →chunked
No CSP is present here…
The Credit Suisse website and login are protected with most of the headers and have a good CSP. The no-referrer header is missing from the e-banking login and could be added.
default-src 'self' 'unsafe-inline' 'unsafe-eval' data: *.credit-suisse.com *.credit-suisse.cspta.ch *.doubleclick.net *.decibelinsight.net *.mookie1.com *.demdex.net *.adnxs.com *.facebook.net *.google.com *.google-analytics.com *.googletagmanager.com *.google.ch *.googleapis.com *.youtube.com *.ytimg.com *.gstatic.com *.googlevideo.com *.twitter.com *.twimg.com *.qq.com *.omtrdc.net *.everesttech.net *.facebook.com *.adobedtm.com *.ads-twitter.com t.co *.licdn.com *.linkedin.com *.credit-suisse.wesit.rowini.net *.zemanta.com *.inbenta.com *.adobetag.com sc-static.net
The CORS header is present, but it allows all origins, which is a bit lax, but CORS is not really a securtiy feature. I think is still should be more strict.
default-src dnmb: 'self' *.credit-suisse.com *.directnet.com *.nab.ch; script-src dnmb: 'self' 'unsafe-inline' 'unsafe-eval' *.credit-suisse.com *.directnet.com *.nab.ch ; style-src 'self' 'unsafe-inline' *.credit-suisse.com *.directnet.com *.nab.ch; img-src 'self' http://img.youtube.com data: *.credit-suisse.com *.directnet.com *.nab.ch; connect-src 'self' wss: ; font-src 'self' data:
The Raiffeisen website is the best protected of all the tested banks. The e-banking could be improved.
Security-Policy default-src 'self' ; script-src 'self' 'unsafe-inline' 'unsafe-eval' assets.adobedtm.com maps.googleapis.com login.raiffeisen.ch ; style-src 'self' 'unsafe-inline' fonts.googleapis.com ; img-src 'self' statistics.raiffeisen.ch dmp.adform.net maps.googleapis.com maps.gstatic.com csi.gstatic.com khms0.googleapis.com khms1.googleapis.com www.homegate.ch dpm.demdex.net raiffeisen.demdex.net ; font-src 'self' fonts.googleapis.com fonts.gstatic.com ; connect-src 'self' api.raiffeisen.ch statistics.raiffeisen.ch www.homegate.ch prod1.solid.rolotec.ch dpm.demdex.net login.raiffeisen.ch ; media-src 'self' ruz.ch ; child-src * ; frame-src * ;
The website is pretty bad. It has a mis-configuration in the X-Frame-Options. The e-banking login is missing most of the headers.
Post Finance is missing the CSP header and the no-referrer header in both the website and the login. This could be improved.
Julius Bär is missing the CSP header and the no-referrer header for the e-banking login, and the X-Frame-Options is also missing from the website.
The website is missing a lot of headers as well.
Migro Bank provided no login link from the browser.
The WIR bank have one of the best websites, and is missing the the no-referrer header. It’s e-banking solution is missing both a CSP Header as well as a referrer policy. Here the website is more secure than the e-banking, strange.
frame-ancestors 'self' https://www.jobs.ch;
The DC Bank is missing all the security headers on the website. This could really be improved! The e-banking is better, but missing the CSP and the referrer policies.
This is an interesting test. Basler Kantonalbank has a no security headers in the website, and even an incorrect X-Frame-Options. The e-banking is good, but missing the no-referrer policy. So it has the best and the worst of the banks tested.
default-src https://*.bkb.ch https://*.mybkb.ch; img-src data: https://*.bkb.ch https://*.mybkb.ch; script-src 'unsafe-inline' 'unsafe-eval' https://*.bkb.ch https://*.mybkb.ch; style-src https://*.bkb.ch https://*.mybkb.ch 'unsafe-inline';
The Berner Kantonalbank has implemented 2 security headers on the website , but is missing the HSTS header. The e-banking is missing 2 of the security headers, no-referrer policy and the CSP.
Valiant has one of the better websites, but the worst e-banking concerning the security headers. Only has the X-Frame-Options supported.
St. Galler Kantonalbank
The website is an A-Grade, but missing 2 headers, the X-Frame-Options and the no-referrer header. The e-banking is less protected compared to the website, has a grade B. It is missing the CSP and the referrer policy.
default-src 'self' 'unsafe-inline' 'unsafe-eval' recruitingapp-1154.umantis.com *.googleapis.com *.gstatic.com prod1.solid.rolotec.ch beta.idisign.ch test.idisign.ch dis.swisscom.ch www.newhome.ch www.wuestpartner.com; img-src * data: android-webview-video-poster:; font-src * data:
The Thurgauer website is missing all the security headers, not even the HSTS supported, and the e-banking is missing the CSP and the no-referrer headers.
J. Safra Sarasin
J. Safra Sarasin website uses most security headers, it is only missing the no-referrer header. The e-banking webite is missing the CSP and the referrer headers.
It would be nice if the this part of the security could be improved for all of these websites.