HTTP response headers of help center

7 Comments

  • Giancarlo Zaccaria

    It's really important. Any update on this topic, Zendesk?

    0
  • Jeff Moyer

    This is really important for us as well, any update?

    0
  • Alvaro del Río

    This is also affecting us and it is really important. Any update?

    0
  • Jorge Rojas Catalan

    We need the same. Security and risk scores are affected by Zendesk help center because de lack of this headers. 

    0
  • Jonathan Guihard

    This is really important for us as well, any update?

    0
  • Steven Aranaga

    Radio silence?  Hello?  Security review just hit some of this...

    0
  • Max McCal
    Zendesk Product Manager
    Hey, all –
    Thanks for raising this issue. I'll address the headers individually.
    • Strict-Transport-Security – This is in place, as the report from securityheaders.com shows.
    • Content-Security-Policy – This is something we're currently working on. Implementing CSP is a complex undertaking as any misconfiguration can impact application functionality, but it is in progress. In the meantime we use other security headers, same-origin policies, input validation and HTML output encoding to mitigate many risks that can also be addressed by CSP.
    • X-Content-Type-Options – This header is present on endpoints where it provides a specific security benefit, such as attachment responses where mime sniffing attacks can occur. It's not implemented on all Zendesk endpoints, however.
    • Referrer-Policy – We are aware of this, but have no plans to implement it at this time.

    For those who are looking for more in this area, we'd love to hear specifics. 

    0

Please sign in to leave a comment.

Powered by Zendesk