Possible Queries:
- Our company is undergoing a security audit hence we would need the following security headers - Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Resource-Policy et Cross-Origin-Opener-Policy and X-Frame-Option. Could you enable this on our Freshdesk account?
- I want to enable the referrer-policy security header on my Freshdesk account for security purposes. Is it available?
- I want to enable the X-XSS-Protection header on my Freshdesk account. How can I do this?
- I want to enable the Strict-Transport-Security on my Freshdesk account. How can I achieve this?
- I want to enable CSP on my Freshdesk customer portal. How can I achieve this?
Resolution Path:
Our company is undergoing a security audit hence we would need the following security headers - Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Resource-Policy et Cross-Origin-Opener-Policy and X-Frame-Option. Could you enable this on our Freshdesk account?
The X-Frame-Option header can be enabled by navigating to Admin>Security and by activating the "Allow Portals to be embedded as iframes" toggle. Screenshot for reference:
Permissions-Policy can be enabled from the backend by raising a Support L2 ticket.
Cross-Origin-Resource-Policy et Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy - You can suggest the customer enable customer portal CSP to add these headers by following the steps in this link.
I want to enable the referrer-policy security header on my Freshdesk account for security purposes. Is it available?
To begin with, let's understand what's the functionality of the referrer-policy security header - The referrer-policy HTTP header governs which referrer information, sent in the Referrer header, should be included with requests made.
This header is useful on pages like password reset, where the URL will contain some secret token. The secret token will be exposed to all the services loading from that page through the referrer header. Adding a strict referrer-policy for those pages will prevent the leaking of sensitive tokens in URLs through the referrer.
If a customer wants to add this to add to their header policy, we can enable it from the backend. You can confirm the Freshdesk URL of the customer and raise a Support L2 ticket.
I want to enable the X-XSS-Protection header on my Freshdesk account. How can I do this?
The HTTP X-XSS-Protection response header is a header that instructs the browser to stop page loading when they detect reflected cross-site scripting attacks. Modern browsers do not require this header and this will be handled by the CSP
I want to enable the Strict-Transport-Security on my Freshdesk account. How can I achieve this?
The HTTP Strict-Transport-Security response header lets a website tell browsers that it should be accessed only using HTTPS and not HTTP. This is enabled by default across all Freshdesk accounts.
I want to enable CSP on my Freshdesk customer portal. How can I achieve this?
Content Security Policy (CSP) policy is a header to add a layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks (These attacks are used for data theft from the browser, site defacement, distribution of malware). You can suggest the customer follow the steps in this link to enable the CSP policy on their customer portal.
If the customer shares any other header policies, you can check with Floor coaches and raise an L2 ticket based on their suggestions.