Security Headers Checker

HTTP 200 · https://www.santander.co.uk/

[ MISSING ]

// Forces HTTPS for all connections. Prevents downgrade attacks.

// missing — add this header to improve security

[ WEAK ]

// Defines which sources of scripts/styles/images are allowed. Prevents XSS.

default-src 'none'; child-src 'self' 'unsafe-inline' https://www.googleadservices.com https://*.fls.doubleclick.net/ https://*.santander.co.uk https://santander.demdex.net blob:; script-src 'self' 'unsafe-inline' https://www.dwin1.com https://cdn.signly.co/release/latest/ https://dam.santander.co.uk https://md-scp.kampyle.com https://track.omguk.com https://cdn.usersnap.com https://screencapture.kampyle.com https://nebula-cdn.kampyle.com https://resources.digital-cloud-uk.medallia.eu https://pagead2.googlesyndication.com https://sc-static.net https://js-cdn.dynatrace.com https://activitymap.adobe.com https://cdn-ukwest.onetrust.com https://googleads.g.doubleclick.net https://lptag.liveperson.net https://lo.v.liveperson.net https://lo.msg.liveperson.net https://accdn.lpsnmedia.net https://lpcdn.lpsnmedia.net https://www.googletagservices.com https://ad.doubleclick.net https://connect.facebook.net https://*.fls.doubleclick.net/ https://www.googleadservices.com https://www.googletagmanager.com https://assets.adobedtm.com https://dpm.demdex.net https://www.google.com https://google.com https://*.santander.co.uk; connect-src 'self' 'unsafe-inline' https://google.com https://www.google.com https://analytics-fe.digital-cloud-uk.medallia.eu https://signly.azurewebsites.net https://tr.snapchat.com https://pagead2.googlesyndication.com https://dam.santander.co.uk https://events.launchdarkly.com https://app.launchdarkly.com wss://int-cb.santander.co.uk https://md-scp.kampyle.com https://resources.digital-cloud-uk.medallia.eu https://santanderuk.tt.omtrdc.net https://udc-neb.kampyle.com https://*.bf.dynatrace.com https://privacyportal-uk.onetrust.com https://cdn-ukwest.onetrust.com https://googleads4.g.doubleclick.net wss://lo.msg.liveperson.net https://dpm.demdex.net https://*.santander.co.uk; img-src 'self' https://lpcdn.lpsnmedia.net 'unsafe-inline' https://*.santander.co.uk data: https:; style-src 'self' 'unsafe-inline' https://cdn.signly.co/release/latest/ https://md-scp.kampyle.com; font-src 'self' https://dam.santander.co.uk; frame-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://cdn.signly.co/release/latest/ https://portal-benefits-calculator.turn2us.org.uk https://td.doubleclick.net https://www.youtube-nocookie.com https://activitymap.adobe.com https://resources.digital-cloud-uk.medallia.eu https://lo.tokenizer.liveperson.net https://lo.msghist.liveperson.net https://lo.msg.liveperson.net https://lpcdn.lpsnmedia.net https://lo.idp.liveperson.net https://server.lon.liveperson.net https://authorize.omniture.com https://sitecatalyst.omniture.com https://www.youtube.com https://santander.demdex.net https://*.fls.doubleclick.net; object-src 'self'; media-src https://british-sign-language-videos.signly.co https://signlymediaservice-ukso1.streaming.media.azure.net https://signlystorageaccount.blob.core.windows.net https://cdn.signly.co/images/ https://lpcdn.lpsnmedia.net; worker-src blob:; frame-ancestors 'self' https://*.santander.co.uk;

[ STRONG ]

// Prevents clickjacking by blocking iframe embedding from other origins.

SAMEORIGIN

[ STRONG ]

// Prevents MIME sniffing. Should be 'nosniff'.

nosniff

[ PRESENT ]

// Controls how much referrer info is leaked when navigating away.

strict-origin-when-cross-origin

[ MISSING ]

// Restricts which browser features (camera, mic, etc.) the page can use.

// missing — add this header to improve security