bpi.com.ph

HTML metadata

Title: Bank of the Philippine Islands | BPI
Language: en
Canonical: /home

Open Graph

title: Bank of the Philippine Islands
description: BPI continues to pave the way for the Philippine banking and financial industry, supporting economic growth and nation-building.

Technology

Analytics

Google Tag Manager

Fonts

Google Fonts

Third-party hosts loaded (5)

www.bpi.com.ph×102
fonts.googleapis.com×3
cdn.evgnet.com×1
fonts.gstatic.com×1
www.googletagmanager.com×1

Social

Contact

Address: BPI Head Office, 6768 Ayala Avenue, 1226, Makati City, Metro Manila, PH

DNS records live

NS

dns1.globenet.com.ph
g-net.globe.com.ph
g-net1.globe.com.ph
ns1.globeidc.com.ph
sec.globe.com.ph

MX

10 primary.us.email.fireeyecloud.com
20 alt1.us.email.fireeyecloud.com
30 alt2.us.email.fireeyecloud.com
40 alt3.us.email.fireeyecloud.com

TXT

trend-micro-v1-domain-verification.7e8606cd12f615a2bba26fbfe5e37479=6d79cdd0-c3ae-49bc-a7df-ed9c33b3d90c
MS=2EDE7BF9BD7FA8CB0DCBD86534E48E220E636774

Verified for

Adobe
Atlassian
Canva
Cisco
GlobalSign
Google
Meta

Email authentication strong

SPF

v=spf1 include:_spf-a.bpi.com.ph include:spf.protection.outlook.com include:_spf.salesforce.com -all

strict (-all)

DMARC

v=DMARC1; p=reject; aspf=r; adkim=r; rua=mailto:dmarc-reports@cyberint.com; ruf=mailto:dmarc-reports@cyberint.com; fo=1

policy: reject (enforced)

DKIM

selector1: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrYWpeN/7lWHB6vjzTrVb/InLHLmZ4xTjvhsipvusOJdDiB/Al/utxZZsxhlX1f2rfkEF2S2mAYiyvHdLJqW…
s1: k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2wfVaATwwL1PdrnJc74F6rBsCu335+Lt/f5YMdWngnIy3OWWnumN0JQkWxUN+y7aqx7IBEA/y5ALDDSDwi…
s2: k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0nKGsqm7ePut25tSsyR9q38B3UMw6dfwPLn3GROpkM10w0l+XWmlXN6hiqqaAnLY3pBhHoHteSDhucldPD…

selectors probed

Certificate (current)

GlobalSign GCC R3 EV TLS CA 2025

from 2026-01-16 to 2027-02-17

Expires in 272 days

Full certificate history on crt.sh ↗

HTTP security headers

Header hygiene 90/100 Checked live page: https://www.bpi.com.ph/

present

strict-transport-security
content-security-policy
x-frame-options
x-content-type-options
referrer-policy
permissions-policy
cross-origin-opener-policy
cross-origin-embedder-policy
cross-origin-resource-policy

findings

CSP allows unsafe inline scripts/styles
CSP uses wildcard sources

Header values

referrer-policy: strict-origin-when-cross-origin
x-frame-options: SAMEORIGIN
permissions-policy: geolocation=(self), microphone=(self)
x-content-type-options: nosniff
content-security-policy: img-src * data: blob: 'unsafe-inline'; worker-src 'self' blob:; media-src * blob: data:; font-src * data: 'unsafe-inline'; default-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://connect.facebook.net https://stats.g.doubleclick.net https://www.google-analytics.com https://analytics.google.com https://www.facebook.com https://www.linkedin.com https://cdn.linkedin.oribi.io http://ads.tiktok.com https://maps.googleapis.com https://*.googleapis.com *.google.com https://*.gstatic.com https://player.vimeo.com https://www.google.com/recaptcha/api.js https://www.google.com/recaptcha/api2/anchor https://www.google.com/recaptcha/api/fallback https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/api/siteverify https://www.google.com/recaptcha/api2/bframe https://www.youtube.com https://www.googleadservices.com https://www.google.com/pagead/conversion_async.js https://www.googleadservices.com/pagead/conversion_async.js fonts.googleapis.com maps.gstat
strict-transport-security: max-age=31557600
cross-origin-opener-policy: same-origin
cross-origin-embedder-policy: require-corp; report-to csp-endpoint
cross-origin-resource-policy: same-origin