Challenges
The client wanted independent assurance that the public-facing web applications used by customers and brokers could not be leveraged by an external attacker to obtain personal data, manipulate session state, or bypass authorisation controls. The scope covered both marketing and quote-journey domains and authenticated policy-management surfaces, in a production environment that had to remain fully available throughout the testing window.
CyberGlobal UK‘s team faced the typical challenges of a long-running consumer web estate: a heterogeneous technology stack accumulated through multiple modernisation cycles, outdated framework components still in active use, and CORS and CSP configurations that had been extended ad hoc over time.
No critical or high-severity vulnerabilities were identified. The most relevant findings were:
- Outdated JavaScript framework components and server-side libraries with publicly known CVEs
- Overly permissive CORS configurations grant unnecessary cross-origin access
- Missing or weakened Content Security Policy headers across several journeys
- Deprecated TLS versions are still negotiable on some endpoints
- Insecure use of inline frames (iframes) for embedded broker and quote content
- Session management gaps, including inconsistent cookie attributes and session-fixation exposure
- Verbose HTTP responses revealing server, framework, and version information
Solutions
CyberGlobal delivered a remediation roadmap structured around the client’s release process, so fixes could be merged into existing sprints rather than treated as a standalone project:
- Component Modernisation: A targeted upgrade programme replaced outdated framework components and third-party libraries with supported versions, eliminating exposure to known CVEs.
- CORS Tightening: Cross-origin policies reviewed end-to-end and narrowed so only strictly necessary origins, methods, and headers were permitted. Legacy partner exceptions were renewed with appropriate scoping or retired.
- CSP Rollout: A unified Content Security Policy baseline deployed across the consumer-facing journeys, with carefully scoped allow-lists for first-party and approved third-party content.
- Transport-Layer Hygiene: TLS configuration harmonised across the estate, with TLS 1.2 enforced as the minimum, modern cipher suites preferred, and HSTS applied consistently.
- Session Hardening: Cookie attributes (Secure, HttpOnly, SameSite) normalised, session-fixation paths closed, and post-authentication session regeneration introduced.
- Response Hardening: Verbose error responses and server banners suppressed, with a consistent set of security headers deployed alongside the new CSP baseline.
Results
The remediation work substantially reduced the residual risk associated with the consumer-facing web estate. Outdated components were brought back into supported versions, CORS and CSP policies were standardised across the journeys, and the client’s web platforms were aligned with the OWASP and NIST baselines used during testing.
Key lessons learned include the following:
- Outdated framework components and libraries remain one of the most common and most exploitable weaknesses in long-running consumer web estates.
- CORS and CSP policies need active governance — they degrade quickly when left to accumulate ad-hoc exceptions.
- Session management controls are often inconsistently applied across brand journeys built at different times by different teams.
- Production-only testing is workable when paired with a careful, manual-led methodology and clear rules of engagement.
- Regular web application assessments aligned to OWASP and NIST give regulated financial services firms a defensible, evidence-backed assurance position.
By partnering with CyberGlobal, the client achieved measurable improvement in the security posture of its consumer-facing pensions and life insurance journeys, and established a baseline for ongoing assurance across its digital channels.