Fintech & banking security benchmarks — how financial sites score

What they tend to get right

TLS is hardened: TLS 1.2+ enforced, weak ciphers refused, HSTS with long max-age and includeSubDomains, often preloaded. CSP is widely deployed — even when permissive, it's present. Cookie attributes on session and authentication cookies are correct. SPF, DKIM, and DMARC are at enforcement (p=quarantine or p=reject) because phishing is a daily threat.

Where they fall short

Permissions-Policy adoption lags the rest of the header set. Some legacy authentication subdomains lag the apex on TLS modernization. CSP, when present, is sometimes too permissive (wildcards, unsafe-inline). Credit unions and community banks often score 10-20 points below the major banks on browser headers.

Common findings in this sector

Findings that show up frequently across fintech & banking sites we’ve scanned, ranked by approximate prevalence.

• Permissions-Policy missing →

  ~60% of sites

  Even mature financial sites often skip this header

• Weak CSP →

  ~35% of sites

  When present, CSP often needs tightening (allowlists, nonce migration)

• COOP missing →

  ~50% of sites

  Cross-Origin-Opener-Policy is still uncommon outside major banks

• HSTS not preloaded →

  ~35% of sites

  HSTS is deployed but not always preload-eligible

• CAA missing →

  ~40% of sites

  CAA records are still inconsistent across the sector