X-Frame-Options - Embedding Zendesk Help Center


  • Thomas Verschoren
    Community Moderator

    Embedding websites can lead to security risks since someone could use your content, use it in a fraudulent website, and still pretend it’s you.

    This article by Zendesk  and this one by Troy Hunt explain the risks quite nicely.

    I have had a few customers in consultancy we wanted to embed Zendesk.

    All of them ended up with a combination of

    • The widget with Answer Bot or Guide on their www.domain.com website
    • A custom branded Help Center that exactly mirrors the layout of their website.

    This gave a few benefits:

    • Better Mobile Experience (or responsive) since the Help Center scales across platforms
    • Since people actually visited the pages and the Help Center was branded on its own, when an agent linked to an article, or when they arrived on the Help Center via Google search it still looked and felt as their brand and website.

    So a custom theme might be worth looking into.

  • Cakra Hendra

    Hi Thomas,

    Thank You for the response and I have run through and read those before submitting the support ticket and subsequently this feedback / request. Custom theme is not workable solution for us as this would require us to duplicate development effort and maintenance which are not our core solution and offering to our customers.

    If you read through the comments on that article you would see that there was a proposed solution to have a configurable ALLOW-FROM in XFO header, which is also mentioned in the article by Troy Hunt. We, the customer, bear the risk with this. Zendesk can set the option to  DENY by default and put alarm or other bell / whistle to remind us. But it would be our conscious decision to change that to ALLOW-FROM.

    As mentioned by Jcoy (https://support.zendesk.com/hc/en-us/articles/203657536/comments/360001733907) which I fully agree: "This doesn't pose any more of a security risk than what is already inherent in our application".


  • Dmitry

    It's not about the custom theme. It's about providing a seamless experience for my users. I don't want them to have to open several browser windows, I want them to be able to see the support article and to repeat the actions described there. 

    You HAVE TO allow for this little setting to be turned on. Otherwise, with your outdated widgets people will flock away to somebody else who will offer the same option.

  • Patrick Bihan-Faou

    This is an issue for us too. Quite ironically, you provide a widget to embed other web content in iframe inside zendesk but you don't reciprocate.

    I fully agree that allowing uncontrolled embedding of zendesk inside iFrames can be considered dangerous, but nobody is asking for that. What people want is embedding the Zendesk Help Center inside controlled area. In this areas, embedding the Zendesk Help Center does not expose our users to any more risks than using the tools we provide them.

    The option of recoding completely the helpcenter using the API is ludicrous. If we have to rewrite the zendesk UI, why not rewrite it all and get rid of zendesk altogether... The reason why we pay for your services is because we don't want to do that.


Please sign in to leave a comment.

Powered by Zendesk