Whether you are a current user, former user, a Zimbra employee, or anyone with experience using any of our products, we welcome your feedback. Please include a specific product name and version when relevant.
The Mozilla Observatory gives our Zimbra installation a C rating, mainly because of missing security headers. Can we expect to have these security problems (some fairly important, some not so, but all should be easy to implement) corrected in the next Zimbra release?
Content Security Policy-25 Content Security Policy (CSP) header not implemented
Cookies-5 Cookies set without using the Secure flag, but transmission over HTTP prevented by HSTS
X-Content-Type-Options-5 X-Content-Type-Options header not implemented
X-XSS-Protection-10 X-XSS-Protection header not implemented
Content-Security-Policy Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
Public-Key-Pins HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
X-XSS-Protection X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block".
X-Content-Type-Options X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".
ExTechOp wrote:The Mozilla Observatory gives our Zimbra installation a C rating, mainly because of missing security headers. Can we expect to have these security problems (some fairly important, some not so, but all should be easy to implement) corrected in the next Zimbra release?
You've posted this in the ZImbra Desktop forum, is that the product you're talking about or is it ZCS?
These are only Community forums not official Zimbra Support, if you want to report a problem of any sort within ZCS you should file a report in bugzilla or if you're an NE customer the raise a support case.
phoenix wrote:You've posted this in the ZImbra Desktop forum, is that the product you're talking about or is it ZCS?
Pardon me, I was aiming at "General Questions" and hit Zimbra Desktop
That's OK but don't post duplicates, I'll move this to the correct forum and remove the other post. As I mentioned earlier, bugzilla or if you're a customer then Zimbra support would be the best place to post your concerns, these are only Community Support forums not official Zimbra Support.
ExTechOp wrote:Currently, we get a security rating of B (70/100) from Observatory by tweaking the ciphers and adding the following extra response headers: