https://www.natwest.com/

Scan ID:
a53a9b31-84c9-4b24-8beb-6d7ea88f3553Finished
Submitted URL:
https://natwest.com/Redirected
Report Finished:

Risks · 0 found

Practices that may pose security risks

  • No classification

Security Headers · 7 found

HTTP response headers that can harden the security of a web application

Learn more...
NameValueSupportInfo
Strict-Transport-Securitymax-age=31536000; includeSubDomains; preloadGoodDeclare that a website is only accessible over a secure connection (HTTPS).

Click to learn more...
X-Frame-OptionsSAMEORIGINGoodIndicate whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>.

Click to learn more...
X-Content-Type-OptionsnosniffGoodIndicate that the MIME types advertised in the Content-Type headers should be followed and not be changed.

Click to learn more...
Content-Security-Policyupgrade-insecure-requests; GoodControl resources the user agent is allowed to load for a given page.

Click to learn more...
Referrer-Policystrict-origin-when-cross-originGoodControl how much referrer information should be included with requests.

Click to learn more...
Clear-Site-Data—GoodControl the data stored by a client browser for their origins.

Click to learn more...
X-Permitted-Cross-Domain-Policies—GoodControl whether a web client such as Adobe Flash Player or Adobe Acrobat has permission to handle data across domains.

Click to learn more...
Permissions-Policygeolocation=(self "https://natwest.com")NewAllow and deny the use of browser features in a document or iframe.

Click to learn more...
Cross-Origin-Embedder-Policy—NewConfigure embedding cross-origin resources into the document.

Click to learn more...
Cross-Origin-Opener-Policy—NewEnsure a top-level document does not share a browsing context group with cross-origin documents.

Click to learn more...
Cross-Origin-Resource-Policy—NewRequest that the browser blocks no-cors cross-origin/cross-site requests to the given resource.

Click to learn more...
X-XSS-Protection1; mode=blockDeprecatedDeprecated. Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.

Click to learn more...
Feature-Policy—DeprecatedDeprecated. Replaced by the Permissions-Policy header.

Click to learn more...
Expect-CT—DeprecatedDeprecated. Opt in to reporting and/or enforcement of Certificate Transparency requirements.

Click to learn more...
Public-Key-Pins—DeprecatedDeprecated. Allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates.

Click to learn more...

Security Violations · 7 found

Requests or resources offending security policies

ViolationTypeInfo
Resource
https://www.natwest.com/
Description
The Content Security Policy directive 'upgrade-insecure-requests' is ignored when delivered in a report-only policy.
Content Security PolicyControl resources the user agent is allowed to load for a given page.

Click to learn more...
Resource
https://www.natwest.com/etc.clientlibs/clientlibs/granite/jquery/granite.min.js
Description
[Report Only] Refused to connect to 'https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location' because it violates the following Content Security Policy directive: "default-src 'self' blob: data: 'unsafe-inline' 'unsafe-eval' *.adobedtm.com *.scene7.com *.amazon-adsystem.com *.appdemostore.com *.atdmt.com *.avocet.io *.blubrry.com *.clicktale.net *.craftyclicks.co.uk *.doubleclick.net *.everesttech.net *.facebook.com *.facebook.net *.fca.org.uk *.google.co.uk *.google.com *.googleadservices.com *.jwpcdn.com *.liveperson.net *.linkedin.com *.lpsnmedia.net *.natwest.com *.neolane.net *.nwolb.com *.omguk.com *.omtrdc.net *.pinimg.com *.pinterest.com *.raptmedia.com *.snapchat.com *.userzoom.com *.youtube.com *.ytimg.com analytics.twitter.com api.swiftype.com dcs.demdex.net dpm.demdex.net fast.demdex.net fast.rbs.demdex.net jwpltx.com rbs.demdex.net sc-static.net static.ads-twitter.com t.co www.brightedge.com *.google.ae *.google.al *.google.am *.google.at *.google.az *.google.ba *.google.be *.google.bg *.google.bs *.google.by *.google.ca *.google.cd *.google.ch *.google.cl *.google.cm *.google.co.ao *.google.co.bw *.google.co.cr *.google.co.id *.google.co.il *.google.co.in *.google.co.jp *.google.co.ke *.google.co.kr *.google.co.ma *.google.co.nz *.google.co.th *.google.co.tz *.google.co.ug *.google.co.uz *.google.co.ve *.google.co.za *.google.co.zm *.google.co.zw *.google.com.af *.google.com.ag *.google.com.ar *.google.com.au *.google.com.bd *.google.com.bh *.google.com.bn *.google.com.bo *.google.com.br *.google.com.bz *.google.com.co *.google.com.cu *.google.com.cy *.google.com.do *.google.com.ec *.google.com.eg *.google.com.et *.google.com.fj *.google.com.gh *.google.com.gi *.google.com.gt *.google.com.hk *.google.com.jm *.google.com.kh *.google.com.kw *.google.com.lb *.google.com.ly *.google.com.mm *.google.com.mt *.google.com.mx *.google.com.my *.google.com.na *.google.com.ng *.google.com.ni *.google.com.np *.google.com.om *.google.com.pa *.google.com.pe *.google.com.pg *.google.com.ph *.google.com.pk *.google.com.pr *.google.com.py *.google.com.qa *.google.com.sa *.google.com.sb *.google.com.sg *.google.com.sl *.google.com.tj *.google.com.tr *.google.com.tw *.google.com.ua *.google.com.uy *.google.com.vc *.google.com.vn *.google.cv *.google.cz *.google.de *.google.dk *.google.dm *.google.dz *.google.es *.google.fi *.google.fr *.google.ge *.google.gg *.google.gm *.google.gp *.google.gr *.google.gy *.google.hr *.google.hu *.google.ie *.google.im *.google.iq *.google.is *.google.it *.google.je *.google.jo *.google.kz *.google.la *.google.lk *.google.lt *.google.lu *.google.lv *.google.md *.google.mg *.google.mk *.google.ml *.google.mn *.google.mu *.google.mv *.google.mw *.google.nl *.google.no *.google.pl *.google.ps *.google.pt *.google.ro *.google.rs *.google.ru *.google.sc*.google.se *.google.sh *.google.si *.google.sk *.google.sn *.google.so *.google.tg *.google.tm *.google.tn *.google.tt adservice.google.ro *.googleapis.com *.live.hdexternal.co.uk *.hdddirectsolutions.co.uk fonts.gstatic.com *.everesttech.net *.everestjs.net cdn.cookielaw.org cdn-apple.com". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
Content Security PolicyControl resources the user agent is allowed to load for a given page.

Click to learn more...
Resource
https://www.natwest.com/etc.clientlibs/clientlibs/granite/jquery/granite.min.js
Description
The Content Security Policy directive 'upgrade-insecure-requests' is ignored when delivered in a report-only policy.
Content Security PolicyControl resources the user agent is allowed to load for a given page.

Click to learn more...
Resource
https://www.natwest.com/etc.clientlibs/clientlibs/granite/jquery/granite.min.js
Description
The Content Security Policy directive 'upgrade-insecure-requests' is ignored when delivered in a report-only policy.
Content Security PolicyControl resources the user agent is allowed to load for a given page.

Click to learn more...
Resource
https://www.natwest.com/etc.clientlibs/clientlibs/granite/jquery/granite.min.js
Description
The Content Security Policy directive 'upgrade-insecure-requests' is ignored when delivered in a report-only policy.
Content Security PolicyControl resources the user agent is allowed to load for a given page.

Click to learn more...
Resource
https://www.natwest.com/etc.clientlibs/clientlibs/granite/jquery/granite.min.js
Description
The Content Security Policy directive 'upgrade-insecure-requests' is ignored when delivered in a report-only policy.
Content Security PolicyControl resources the user agent is allowed to load for a given page.

Click to learn more...
Resource
https://www.natwest.com/etc.clientlibs/clientlibs/granite/jquery/granite.min.js
Description
The Content Security Policy directive 'upgrade-insecure-requests' is ignored when delivered in a report-only policy.
Content Security PolicyControl resources the user agent is allowed to load for a given page.

Click to learn more...

Certificates · 9 found

SSL/TLS Certificates enable websites to encrypt transactions between the client and the server and provide server identity verification

SubjectIssue dateExpiry date
natwest.comOct 8, 2024, 00:00:00Oct 8, 2025, 23:59:59
cookielaw.orgOct 11, 2024, 18:54:25Jan 9, 2025, 19:54:23
assets.adobedtm.comJul 9, 2024, 00:00:00Aug 9, 2025, 23:59:59
chatcora.natwest.comFeb 29, 2024, 00:00:00Feb 28, 2025, 23:59:59
report-uri.comSep 18, 2024, 07:00:52Dec 17, 2024, 07:00:51
geolocation.onetrust.comOct 11, 2024, 18:40:05Jan 9, 2025, 19:40:02
*.liveperson.netNov 28, 2023, 00:00:00Nov 27, 2024, 23:59:59
*.lpsnmedia.netOct 8, 2024, 00:00:00Oct 8, 2025, 23:59:59
*.v.liveperson.netAug 20, 2024, 00:00:00Aug 20, 2025, 23:59:59