Security update for embedded help centers

いつも Jira Service Desk をご利用いただきありがとうございます。

Today we're going to chat about embedding your help center.

Previously, it was possible to embed your help center in an iframe. For security reasons, we've decided to stop supporting this on May 1st, 2018. If your help center is embedded in an iframe, read on to learn which secure alternative is right for you and your team.

Why iframes are vulnerable

Help centers that are embedded in iframes are vulnerable to security attacks such as clickjacking. Clickjacking tricks users into performing actions they did not intend to do, which can lead to them deleting data or divulging their user credentials. Learn more about clickjacking.

Secure alternatives to iframes

We support two secure options for embedding your help center: the embeddable widget, and APIs. The embeddable widget is best for teams that have open service desks; APIs are best for teams that require customers to log in to the help center.

Embeddable widget

The widget is like a mini-help center that you can embed on web pages:

Each project has one widget that you can embed on as many pages as you like. It also displays your knowledge base, so you can deflect requests with FAQs and How-tos. Learn more about how to set up a widget.


If your help center requires a login, the best option is to build your own help center using the Jira Service Desk APIs. To learn how, visit our developer documentation.


The Jira Service Desk team

P.S. 🐛 Don't forget to check out the latest bug fixes.

Powered by Confluence and Scroll Viewport.