HTTP response headers of help center


  • Giancarlo Zaccaria

    It's really important. Any update on this topic, Zendesk?

  • Jeff Moyer

    This is really important for us as well, any update?

  • Alvaro del Río

    This is also affecting us and it is really important. Any update?

  • Jorge Rojas Catalan

    We need the same. Security and risk scores are affected by Zendesk help center because de lack of this headers. 

  • Jonathan Guihard

    This is really important for us as well, any update?

  • Steven Aranaga

    Radio silence?  Hello?  Security review just hit some of this...

  • Max McCal
    Zendesk Product Manager
    Hey, all –
    Thanks for raising this issue. I'll address the headers individually.
    • Strict-Transport-Security – This is in place, as the report from shows.
    • Content-Security-Policy – This is something we're currently working on. Implementing CSP is a complex undertaking as any misconfiguration can impact application functionality, but it is in progress. In the meantime we use other security headers, same-origin policies, input validation and HTML output encoding to mitigate many risks that can also be addressed by CSP.
    • X-Content-Type-Options – This header is present on endpoints where it provides a specific security benefit, such as attachment responses where mime sniffing attacks can occur. It's not implemented on all Zendesk endpoints, however.
    • Referrer-Policy – We are aware of this, but have no plans to implement it at this time.

    For those who are looking for more in this area, we'd love to hear specifics. 


Please sign in to leave a comment.

Powered by Zendesk