The last review was a financial magazine website.
Let’s be honest, security matters far more to a bank than to a magazine site; and rightly so.
So this time, we’re taking a look at https://usbank.com
Misssing headers for main site response
- Missing Referrer-Policy
- Missing Content-Security-Policy
- HSTS flag present
- HSTS header missing preload
- HSTS header does not include subdomains
- Missing Feature-Policy
The above means that the users are susceptible to clickjacking, the site could leak sensitive data in the referer header to 3rd party websites, they do not have the most modern security option configured (Content-Security-Policy), HSTS configuration could be improved to increase its effectiveness, and lastly, Feature-Policy is a newer header which allows the organization to specify exactly which features it needs to use in a whitelist format so that if any malicious code is injected into the website to do something like use your gyroscope or GPS data, it cannot do so.
Lastly, they have Access-Control-Allow-Origin: * set which is a bad practice as it leaves the site susceptible to CORS vulnerabilities.
The login page gives the following response:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: private,no-cache, no-store, must-revalidate
X-FRAME-OPTIONS: ALLOW-FROM https://www.usbank.com
X-Akamai-Transformed: 9 47030 0 pmb=mTOE,1
Date: Wed, 16 Oct 2019 02:45:00 GMT
Set-Cookie: ObSSOCookie=[redacted];secure; httponly; path=/; domain=.usbank.com
Set-Cookie: ObSSOCookie=loggedout; domain=.usbank.com; expires=Tue, 15-Oct-2019 02:45:00 GMT; path=/
Set-Cookie: CE=; domain=.usbank.com; expires=Tue, 16-Oct-2029 02:45:00 GMT; path=/; secure; HttpOnly
Set-Cookie: BR=; domain=.usbank.com; expires=Tue, 15-Oct-2019 02:45:00 GMT; path=/; secure; HttpOnly
Set-Cookie: EXTOLB=; expires=Mon, 16-Sep-2019 02:45:00 GMT
Set-Cookie: NLSessionSolbs=; expires=Mon, 16-Sep-2019 02:45:00 GMT
Set-Cookie: OLBWeb=; expires=Mon, 16-Sep-2019 02:45:00 GMT
However, they do not set up a Content-Security-Policy, Referrer-Policy, or X-Content-Type-Options. This could leave users vulnerable to cross-site scripting attacks, referer leakage of sensitive data, and attacks which utilize MIME-Sniffing.
Header Score: C
Privacy & Trackers
DuckDuckGo extension detected 4 trackers on the site:
- dpm.demdex.net Advertising
- usbank.demdex.net Advertising
- nexus.ensighten.com Analytics
- gateway.foresee.com Analytics
Tracker Score: B
Verdict: For a bank, USBank.com could use some improvements.