HTTP response headers of help center
Feature Request Summary:
Either Zendesk Guide make the following HTTP response headers for their help centers mandatory or offers a customization of the HTTP response headers.
Description/Use Cases:
Zendesk help center(s) are lacking some security HTTP response headers which is hurting our company's security rating and reputation.
- Strict-Transport-Security
- Content-Security-Policy
- X-Content-Type-Options
- Referrer-Policy
Business impact of limitation or missing feature:
That's a critical one for us, these leads to downgrading of our group by several sites and generally trust issues with potential customers.
Other necessary information or resources:
For example the rating of Zendesk's own help center (which applies to all Zendesk customer help centers):
https://securityheaders.com/?q=https%3A%2F%2Fsupport.zendesk.com%2Fhc%2Fde&followRedirects=on
-
It's really important. Any update on this topic, Zendesk?
-
This is really important for us as well, any update?
-
This is also affecting us and it is really important. Any update?
-
We need the same. Security and risk scores are affected by Zendesk help center because de lack of this headers.
-
This is really important for us as well, any update?
-
Radio silence? Hello? Security review just hit some of this...
-
Hey, all –
Thanks for raising this issue. I'll address the headers individually.- Strict-Transport-Security – This is in place, as the report from securityheaders.com shows.
- Content-Security-Policy – This is something we're currently working on. Implementing CSP is a complex undertaking as any misconfiguration can impact application functionality, but it is in progress. In the meantime we use other security headers, same-origin policies, input validation and HTML output encoding to mitigate many risks that can also be addressed by CSP.
- X-Content-Type-Options – This header is present on endpoints where it provides a specific security benefit, such as attachment responses where mime sniffing attacks can occur. It's not implemented on all Zendesk endpoints, however.
- Referrer-Policy – We are aware of this, but have no plans to implement it at this time.
For those who are looking for more in this area, we'd love to hear specifics.
Please sign in to leave a comment.
7 Comments