Despite the ever increasing number of publicised data breaches and malicious hacking attacks many website owners that their sites and most importantly their visitors and customers’ data is secure and out of harm’s way. This is not the case. Sites which do have valid SSL certificates can still have vulnerabilities, particularly to man-in-the-middle attacks and cross-site scripting (XSS) attacks. In addition to the SSL certificate, sites should also have HTTP Strict Transport Security (HSTS) and Content Security Policy (CSP) written into them and implemented. It is worrying that many UK on-line banking sites appear not to have taken these relatively straightforward security measures.