Recent searches


No recent searches

HTTP response headers of help center



Posted Jun 21, 2022

Feature Request Summary: 

Either Zendesk Guide make the following HTTP response headers for their help centers mandatory or offers a customization of the HTTP response headers.

Description/Use Cases: 

Zendesk help center(s) are lacking some security HTTP response headers which is hurting our company's security rating and reputation.

  • Strict-Transport-Security
  • Content-Security-Policy
  • X-Content-Type-Options
  • Referrer-Policy

Business impact of limitation or missing feature:

That's a critical one for us, these leads to downgrading of our group by several sites and generally trust issues with potential customers.

Other necessary information or resources:

For example the rating of Zendesk's own help center (which applies to all Zendesk customer help centers):

https://securityheaders.com/?q=https%3A%2F%2Fsupport.zendesk.com%2Fhc%2Fde&followRedirects=on


10

9

9 comments

It's really important. Any update on this topic, Zendesk?

1


This is really important for us as well, any update?

1


This is also affecting us and it is really important. Any update?

1


We need the same. Security and risk scores are affected by Zendesk help center because de lack of this headers. 

1


This is really important for us as well, any update?

1


Radio silence?  Hello?  Security review just hit some of this...

0


image avatar

Max McCal

Zendesk Product Manager

Hey, all –
Thanks for raising this issue. I'll address the headers individually.
  • Strict-Transport-Security – This is in place, as the report from securityheaders.com shows.
  • Content-Security-Policy – This is something we're currently working on. Implementing CSP is a complex undertaking as any misconfiguration can impact application functionality, but it is in progress. In the meantime we use other security headers, same-origin policies, input validation and HTML output encoding to mitigate many risks that can also be addressed by CSP.
  • X-Content-Type-Options – This header is present on endpoints where it provides a specific security benefit, such as attachment responses where mime sniffing attacks can occur. It's not implemented on all Zendesk endpoints, however.
  • Referrer-Policy – We are aware of this, but have no plans to implement it at this time.

For those who are looking for more in this area, we'd love to hear specifics. 

-1


Would it be possible to increase the HSTS header to 1 year?

1


Esto también nos está afectando a nosotros y es muy importante. ¿Alguna actualización?

0


Please sign in to leave a comment.

Didn't find what you're looking for?

New post