Bank Website Development on 1C-Bitrix
A bank website is not a storefront but a working sales tool for financial products. A customer visits to compare interest rates, calculate a payment, apply for a credit—and all of this must happen without a single call to the call center. 1C-Bitrix provides ready-made infrastructure for such projects: info-blocks for product catalogs, web forms module for applications, built-in caching mechanisms for currency rate data, and most importantly—certified security at the "Web Environment" level.
Financial Product Catalog
The catalog structure is built on info-blocks with clear segmentation by type: deposits, loans, debit and credit cards, cash and settlement services. Each type is a separate info-block or info-block section with properties specific to the product.
For deposits, the key properties are: minimum amount, placement period, interest rate (with gradation by amount and period—using a "table" property or linked Highload-block), replenishment capability and partial withdrawal option, capitalization. For loans: amount range, term, rate, borrower requirements, collateral. For cards: payment system type, cashback, service cost, grace period.
Filtering is implemented through the catalog.smart.filter component with template customization for banking specifics—sliders for amounts and periods, checkboxes for options.
Financial Product Calculators—Key Conversion Elements
A calculator is what keeps a customer on the site. Implementation is frontend JavaScript with server-side result validation.
Deposit Calculator. Input: amount, period, monthly replenishment. Output: final amount with interest, accrual schedule by month. The formula depends on capitalization type—simple interest or compound with monthly/quarterly accrual. Interest rates are fetched from info-block properties via AJAX request to a custom controller, so when product conditions change, the calculator automatically recalculates.
Credit Calculator. Annuity and differentiated payment—two calculation modes. Annuity formula:
P = S × (r × (1 + r)^n) / ((1 + r)^n − 1)
where S is the loan amount, r is the monthly rate, n is the number of months. Result: monthly payment, total overpayment, payment schedule with principal and interest breakdown. The schedule is displayed as a table with the option to download PDF—using server-side generation via the TCPDF library, called by an AJAX request.
Mortgage Calculator differs by accounting for down payment, insurance, and early repayment option. We add a "maternity capital" field with a fixed amount that is deducted from the loan principal.
All calculators end with a "Submit Application" button—calculation data is passed to the form prefilled.
Online Application for Credit and Card
A multi-step form based on the form.result.new component with custom template. Steps:
- Product Parameters—amount, period (prefilled from calculator)
- Personal Data—full name, date of birth, passport, tax ID
- Financial Information—workplace, experience, income
- Contacts and Consent—phone, email, data processing agreement (mandatory checkbox)
Validation at each step—both client-side and server-side. After submission, data is recorded in Bitrix24 CRM via REST API (method crm.lead.add) or directly to the bank's core banking system through an intermediate API gateway. Application status is available to the customer in the personal account by application number.
Currency Rates
Daily parsing of XML feed from the Central Bank of Russia (https://www.cbr.ru/scripts/XML_daily.asp) through a Bitrix agent executed every 30 minutes. The result is recorded in a Highload-block with fields: currency code, nominal value, rate, date. Component caching—CACHE_TIME 1800 seconds, CACHE_TYPE "A" (automatic). On the frontend—a table with major currencies (USD, EUR, CNY) and dynamics for a week/month using a Chart.js graph.
A separate page with archive rates and a currency converter—a simple JS form fetching current rates from the same Highload-block.
Branches and ATMs on Map
Highload-block with fields: name, type (branch/ATM/terminal), address, coordinates (latitude, longitude), working hours, available services. When the number of points exceeds 500, marker clustering on Yandex Maps via ymaps.Clusterer is mandatory—otherwise the map lags on mobile.
Filtering by point type and services (cash withdrawal, payment acceptance, currency exchange). User geolocation via navigator.geolocation for automatic map centering and list sorting by distance.
Compliance with Federal Law 395-FZ and Central Bank Requirements
Federal Law "On Banks and Banking Activities" and Central Bank directives require publishing on the website:
- License and founding documents
- Financial reports (quarterly and annual)
- Current tariffs for all products
- Information about the deposit insurance system
- Details and contact information
We create an "Information Disclosure" section with a document info-block. Properties: document type, publication date, file (PDF). Important—documents must be accessible without authorization and indexable by search engines. We configure access rights at the info-block level: read access for all, editing only for the "Compliance" group.
Bank Website Security—Second Priority After Functionality
A bank website is a target for attacks. The security approach is multi-layered.
Content Security Policy (CSP). We configure headers via .htaccess or nginx config. Policy default-src 'self' with explicit exceptions for CDN, map APIs, payment widgets. Inline scripts are forbidden—we use nonce for Bitrix components generating embedded JS. This breaks some standard templates—we rebuild them by exporting scripts to external files.
HTTP Strict Transport Security (HSTS). Header Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. Before enabling, we verify that all subdomains (CDN, API, email) work over HTTPS—otherwise they will fail.
Proactive Bitrix Protection. We enable all modules: web antivirus, activity control, DDoS protection (request limits), two-factor authentication for administrators, intrusion log. We configure IP blacklisting for brute-force attempts.
WAF (Web Application Firewall). The standard "Proactive Protection" module covers basic SQL injection and XSS attacks. For banking standards, we add an external WAF—ModSecurity with OWASP CRS rule set or Cloudflare WAF. Rules are configured to block anomalous requests to application forms and calculator API endpoints.
Data Encryption. Personal data in the database is encrypted at the application level—the main module supports encryption via CryptoProvider. Backups are only in encrypted form. Database connection is via SSL.
Audit and Monitoring. The "Event Log" module records all administrator actions. Additionally, we configure alerts for: kernel file changes (integrity control), failed login attempts exceeding 5 per minute, changes to security module settings.
Bank Website Development Stages
| Stage | Content | Timeframe |
|---|---|---|
| Analytics | Audit of current site, collection of Central Bank requirements, calculator prototypes | 3–4 weeks |
| Design | UI kit, adaptive layouts of key pages, UX of calculators | 3–4 weeks |
| Markup and Frontend | Component templates, JS calculators, responsiveness | 4–5 weeks |
| Backend Development | Info-blocks, integrations (Central Bank API, CRM/core banking, maps), application forms | 5–6 weeks |
| Security | CSP, HSTS, WAF, encryption, vulnerability audit | 2–3 weeks |
| Testing | Functional, load testing, penetration testing | 2–3 weeks |
| Launch and Support | Migration, monitoring, editor training | 1–2 weeks |
Total timeframe—from 20 weeks with parallel design and analytics work. A banking project cannot be rushed: each component passes security review before production.