Security Headers Checker

HTTP 200 · https://www.hsbc.co.uk/

[ STRONG ]

// Forces HTTPS for all connections. Prevents downgrade attacks.

max-age=31536000; includeSubdomains

[ WEAK ]

// Defines which sources of scripts/styles/images are allowed. Prevents XSS.

default-src 'self' *.hsbc.com.hk *.mastercard.com.au *.demdex.net *.lpsnmedia.net *.liveperson.net; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.tiqcdn.com *.tealiumiq.com *.liveperson.net *.googletagmanager.com *.hsbc.co.uk *.hsbc.com.hk *.doubleclick.net *.googleadservices.com *.lpsnmedia.net *.optimizely.com *.facebook.net *.google.com *.gstatic.com *.appdynamics.com *.googleapis.com *.awswaf.com *.analytics.yahoo.com vjs.zencdn.net players.brightcove.net *.ads-twitter.com *.hsbc.ae rum.hlx.page bat.bing.com *.amazon-adsystem.com s.amazon-adsystem.com *.v.liveperson.net googleads.g.doubleclick.net connect.facebook.net static.ads-twitter.com tags.tiqcdn.com lptag.liveperson.net lpcdn.lpsnmedia.net cdn.optimizely.com accdn.lpsnmedia.net www.googletagmanager.com cdn.appdynamics.com www.google-analytics.com ssl.google-analytics.com www.googleadservices.com cdn-assets-prod.s3.amazonaws.com app.contentsquare.com *.pinimg.com *.pinterest.com *.analytics.tiktok.com analytics.tiktok.com snap.licdn.com *.recaptcha.net s.yimg.com *.askus.hsbc.co.uk *.appspot.com tt.omtrdc.net *.sc.omtrdc.net *.demdex.net *.twitter.com t.co *.walkme.com *.omguk.com *.adsrvr.org pixel.everesttech.net liveperson.com *.contentsquare.com *.qualtrics.com *.quantserve.com *.outbrain.com *.taboola.com *.google-analytics.com www.google.com www.gstatic.cn *.hsbc.com.cn *.isstprod.hsbc.com.cn *.akamaihd.net *.tt.omtrdc.net c-hsbc.lytics.io; img-src data: * blob: *.pinimg.com *.pinterest.com *.analytics.tiktok.com analytics.tiktok.com *.liveperson.net *.lpsnmedia.net; connect-src 'self' *.tiqcdn.com *.tealiumiq.com *.hsbc.com.hk *.eum-appdynamics.com *.optimizely.com wss://*.liveperson.net *.cloud.hsbc *.awswaf.com *.analytics.yahoo.com players.brightcove.net edge.api.brightcove.com *.googleapis.com *.hsbc.ae *.omtrdc.net *.demdex.net *.hsbc.co.om *.brightcovecdn.com *.contentsquare.net bat.bing.com manifest.prod.boltdns.net adservice.google.com *.api.brightcove.com brightcove.hs.llnwd.net www.facebook.com maps.googleapis.com www.google.com www.googletagmanager.com *.siteintercept.qualtrics.com ad.doubleclick.net stats.g.doubleclick.net www.google-analytics.com t.co analytics.twitter.com analytics.google.com logx.optimizely.com www.google.co.uk hsbc.co.uk www.hsbc.co.uk *.lo.cobrowse.liveperson.net *.tt.omtrdc.net *.sc.omtrdc.net *.mcmprod.hsbc.co.uk rbwm-api.us.hsbc.com rbwm-api.hsbc.co.uk rbwm-api.hsbc.com.hk www.askus.hsbc.co.uk www.security.hsbc.co.uk translate.googleapis.com *.brightcove.com cdn-assets-prod.s3.amazonaws.com www.isstukdev.hsbc.co.uk www.mcmdev.hsbc.co.uk www.mcmperf.hsbc.co.uk www.isstukuat.hsbc.co.uk www.isstuk.hsbc.co.uk *.pinimg.com *.pinterest.com *.analytics.tiktok.com analytics.tiktok.com stream-dev.data.hsbc.com *.akamaihd.net px.ads.linkedin.com *.hsbc.co.uk *.qualtrics.com *.amazonaws.com *.we-stats.com *.hsbc.com wss://*.hsbc.com *.onfido.com *.appspot.com *.facebook.com tt.omtrdc.net *.liveperson.net *.google.com *.walkme.com pixel.everesttech.net *.contentsquare.com *.googletagmanager.com *.google-analytics.com *.analytics.google.com *.g.doubleclick.net code.jquery.com *.isstprod.hsbc.com.cn *.eu.v2.customers.biocatch.com analytics-ipv6.tiktokw.us www.googleadservices.com *.lpsnmedia.net; frame-src 'self' blob: *.lpsnmedia.net *.optimizely.com *.liveperson.net *.google.com *.doubleclick.net *.analytics.yahoo.com players.brightcove.net www.facebook.com connect.facebook.net www.youtube.com m.youtube.com *.demdex.net www.googletagmanager.com td.doubleclick.net *.ep-mimecast.facebook.com 8068700.fls.doubleclick.net gateway.zscalertwo.net google.com *.pinimg.com *.pinterest.com *.analytics.tiktok.com analytics.tiktok.com *.online-metrix.net *.hsbc.com.hk *.walkme.com liveperson.com *.qualtrics.com tags.tiqcdn.com *.hsbc.co.uk *.facebook.com *.recaptcha.net bid.g.doubleclick.net cdntm.hsbc.co.uk *.akamaihd.net *.ibosscloud.com m.hbeu.dxp1.preprod.eu.dynp.cloud1.vv1865.com; frame-ancestors 'self' www.hsbc.co.uk *.liveperson.net *.hsbc.co.uk; font-src 'self' data: *.hsbc.com.hk *.gstatic.com fonts.gstatic.com *.cloudfront.net at.alicdn.com cdn.jsdelivr.net *.avast.com *.alicdn.com fonts.googleapis.com *.hsbc.co.uk; worker-src 'self' blob: tags.tiqcdn.com; style-src 'self' 'unsafe-inline' *.hsbc.com.hk *.googleapis.com players.brightcove.net *.askus.hsbc.co.uk www.googletagmanager.com *.lo.cobrowse.liveperson.net *.liveperson.net *.optimizely.com *.walkme.com c-hsbc.lytics.io *.lpsnmedia.net; object-src 'self' blob: players.brightcove.net; child-src 'self' *.demdex.net *.lpsnmedia.net *.liveperson.net *.google.com blob: tags.tiqcdn.com; media-src 'self' blob: *.boltdns.net *.media.brightcove.com *.llnw.net *.llnwd.net *.akafms.net *.akamaihd.net *.cf.brightcove.com *.brightcovecdn.com lpcdn.lpsnmedia.net manifest.prod.boltdns.net ssl.gstatic.com brightcove.hs.llnwd.net *.lpsnmedia.net; manifest-src 'self' www.hsbc.co.uk; upgrade-insecure-requests ; report-uri /csp/report;

[ STRONG ]

// Prevents clickjacking by blocking iframe embedding from other origins.

SAMEORIGIN

[ STRONG ]

// Prevents MIME sniffing. Should be 'nosniff'.

nosniff

[ MISSING ]

// Controls how much referrer info is leaked when navigating away.

// missing — add this header to improve security

[ MISSING ]

// Restricts which browser features (camera, mic, etc.) the page can use.

// missing — add this header to improve security