English (US)

HTTP response headers of help center

Martin Sasse
  • Edited

Feature Request Summary: 

Either Zendesk Guide make the following HTTP response headers for their help centers mandatory or offers a customization of the HTTP response headers.

Description/Use Cases: 

Zendesk help center(s) are lacking some security HTTP response headers which is hurting our company's security rating and reputation.

  • Strict-Transport-Security
  • Content-Security-Policy
  • X-Content-Type-Options
  • Referrer-Policy

Business impact of limitation or missing feature:

That's a critical one for us, these leads to downgrading of our group by several sites and generally trust issues with potential customers.

Other necessary information or resources:

For example the rating of Zendesk's own help center (which applies to all Zendesk customer help centers):

https://securityheaders.com/?q=https%3A%2F%2Fsupport.zendesk.com%2Fhc%2Fde&followRedirects=on

7 Comments

  • Giancarlo Zaccaria

    It's really important. Any update on this topic, Zendesk?

    0
  • Jeff Moyer

    This is really important for us as well, any update?

    0
  • Alvaro del Río

    This is also affecting us and it is really important. Any update?

    0
  • Jorge Rojas Catalan

    We need the same. Security and risk scores are affected by Zendesk help center because de lack of this headers. 

    0
  • Jonathan Guihard

    This is really important for us as well, any update?

    0
  • Steven Aranaga

    Radio silence?  Hello?  Security review just hit some of this...

    0
  • Max McCal
    Zendesk Product Manager
    Hey, all –
    Thanks for raising this issue. I'll address the headers individually.
    • Strict-Transport-Security – This is in place, as the report from securityheaders.com shows.
    • Content-Security-Policy – This is something we're currently working on. Implementing CSP is a complex undertaking as any misconfiguration can impact application functionality, but it is in progress. In the meantime we use other security headers, same-origin policies, input validation and HTML output encoding to mitigate many risks that can also be addressed by CSP.
    • X-Content-Type-Options – This header is present on endpoints where it provides a specific security benefit, such as attachment responses where mime sniffing attacks can occur. It's not implemented on all Zendesk endpoints, however.
    • Referrer-Policy – We are aware of this, but have no plans to implement it at this time.

    For those who are looking for more in this area, we'd love to hear specifics. 

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post
Powered by Zendesk