HTTP response headers of help center

image avatar

Martin Sasse

Posted Jun 21, 2022

Feature Request Summary: 

Either Zendesk Guide make the following HTTP response headers for their help centers mandatory or offers a customization of the HTTP response headers.

Description/Use Cases: 

Zendesk help center(s) are lacking some security HTTP response headers which is hurting our company's security rating and reputation.

  • Strict-Transport-Security
  • Content-Security-Policy
  • X-Content-Type-Options
  • Referrer-Policy

Business impact of limitation or missing feature:

That's a critical one for us, these leads to downgrading of our group by several sites and generally trust issues with potential customers.

Other necessary information or resources:

For example the rating of Zendesk's own help center (which applies to all Zendesk customer help centers):

https://securityheaders.com/?q=https%3A%2F%2Fsupport.zendesk.com%2Fhc%2Fde&followRedirects=on

10

9

9 comments

Date
    Newest
      image avatar

      Yadir Garcia

      Esto también nos está afectando a nosotros y es muy importante. ¿Alguna actualización?

      0

      image avatar

      Kai Fan

      Would it be possible to increase the HSTS header to 1 year?

      1

      image avatar

      Max McCal

      Hey, all –
      Thanks for raising this issue. I'll address the headers individually.
      • Strict-Transport-Security – This is in place, as the report from securityheaders.com shows.
      • Content-Security-Policy – This is something we're currently working on. Implementing CSP is a complex undertaking as any misconfiguration can impact application functionality, but it is in progress. In the meantime we use other security headers, same-origin policies, input validation and HTML output encoding to mitigate many risks that can also be addressed by CSP.
      • X-Content-Type-Options – This header is present on endpoints where it provides a specific security benefit, such as attachment responses where mime sniffing attacks can occur. It's not implemented on all Zendesk endpoints, however.
      • Referrer-Policy – We are aware of this, but have no plans to implement it at this time.

      For those who are looking for more in this area, we'd love to hear specifics. 

      -1

      image avatar

      Steven Aranaga

      Radio silence?  Hello?  Security review just hit some of this...

      0

      image avatar

      Jonathan Guihard

      This is really important for us as well, any update?

      1

      image avatar

      Jorge Rojas Catalan

      We need the same. Security and risk scores are affected by Zendesk help center because de lack of this headers. 

      1

      image avatar

      Alvaro del Río

      This is also affecting us and it is really important. Any update?

      1

      image avatar

      Jeff Moyer

      This is really important for us as well, any update?

      1

      image avatar

      Giancarlo Zaccaria

      It's really important. Any update on this topic, Zendesk?

      1

      Sign in to leave a comment.

      Didn't find what you're looking for?

      New post