• Giancarlo Zaccaria

  • 7 octobre 2022 14:14

  It's really important. Any update on this topic, Zendesk?

• Jeff Moyer

  • 13 octobre 2022 20:53

  This is really important for us as well, any update?

• Alvaro del Río

  • 27 octobre 2022 13:32

  This is also affecting us and it is really important. Any update?

• Jorge Rojas Catalan

  • 22 décembre 2022 19:54

  We need the same. Security and risk scores are affected by Zendesk help center because de lack of this headers. 

• Jonathan Guihard

  • 5 avril 2023 10:09

  This is really important for us as well, any update?

• Steven Aranaga

  • 2 mai 2023 00:07

  Radio silence?  Hello?  Security review just hit some of this...

• Max McCal

  • 30 juin 2023 17:00

  Zendesk Product Manager

  Hey, all –
  Thanks for raising this issue. I'll address the headers individually.

  • Strict-Transport-Security – This is in place, as the report from securityheaders.com shows.
  • Content-Security-Policy – This is something we're currently working on. Implementing CSP is a complex undertaking as any misconfiguration can impact application functionality, but it is in progress. In the meantime we use other security headers, same-origin policies, input validation and HTML output encoding to mitigate many risks that can also be addressed by CSP.
  • X-Content-Type-Options – This header is present on endpoints where it provides a specific security benefit, such as attachment responses where mime sniffing attacks can occur. It's not implemented on all Zendesk endpoints, however.
  • Referrer-Policy – We are aware of this, but have no plans to implement it at this time.

  For those who are looking for more in this area, we'd love to hear specifics. 

• Kai Fan

  • 13 novembre 2023 16:51

  Would it be possible to increase the HSTS header to 1 year?

Vous devez vous connecter pour laisser un commentaire.