HOW TO SECURE WEBFLOW - SECURITY GUIDE | VIBEEVAL

Webflow Security Context

Webflow handles the platform layer (TLS, infrastructure, CMS hosting) — your blast radius lives in three places: custom code embeds (anything in Site settings → Custom Code or in component-level Embed blocks), the Memberships gating (which is opt-in, not opt-out), and webhooks/integrations connected via Logic or third-party tools. The recurring incident shape is a tracking pixel embed that includes a leaked API key, or a Memberships site that “feels” gated but has direct CMS-collection URLs that bypass the gate.

Security Checklist

1. Audit form submissions

Site Settings → Forms: check the submission destination. Default is Webflow’s form storage, which is fine. If you’ve added a webhook or Zapier endpoint, confirm: (a) the endpoint expects exactly what Webflow sends, (b) the endpoint validates server-side, (c) the endpoint URL isn’t leaked anywhere as it’s not authenticated. Add reCAPTCHA (Forms → Add field → reCAPTCHA) on every public form to block spam bots.

2. Configure CMS Collection permissions

CMS → Collection → Settings → Permissions: control who can edit and publish. Editor-role staff should not be able to publish without review for sites with regulatory exposure. Each collaborator’s role logs to the Activity Log — review weekly.

3. Lock down Member areas (if used)

Memberships gates pages, not raw CMS items. If you have a members-only/blog/[slug] page, the page is gated — but the underlying CMS collection’s individual item URL is not gated by default. In Memberships → Access groups: explicitly add the collection to a paid access group, and set the collection-item template page to require that group.

4. Audit custom code embeds

Site Settings → Custom Code → Head Code / Footer Code, plus every Embed element on every page. Look for: hardcoded API keys (especially analytics, customer chat, A/B testing keys that are sometimes server-side), eval (which executes arbitrary strings), document.write (which can rewrite the page from any script). Self-host critical scripts where possible.

5. Configure SSL and force HTTPS

Site Settings → Hosting → SSL: confirm “Force SSL” is on and the cert is active. Check both the apex (yourdomain.com) and www. variants — Webflow’s SSL covers both but requires both DNS records.

6. Enable password protection on staging

Site Settings → General → Password Protection: enable on the webflow.io staging URL until you launch. Prevents Google indexing the staging version, prevents leaks via the staging URL when shared.

7. Review webhook integrations

In Logic → Workflows and any third-party automation (Zapier, Make, n8n): every workflow that posts to or pulls from your site is a trust boundary. Confirm: the webhook URL isn’t shared in documentation or support tickets, the receiving service validates the payload, and the workflow doesn’t echo user input into a sink (an admin email, a database) without validation.

8. Configure team / workspace permissions

Workspace → Members: review quarterly. Editor < Designer < Workspace Admin. Ex-collaborators with editor access still see the Activity Log and can edit live content. Remove on departure.

9. Control asset access

Webflow assets at cdn.prod.website-files.com/[id]/ are public-by-design — anyone with the URL can fetch. For genuinely private files, do not upload to Webflow’s asset library; use a separately-auth-gated storage (S3 with signed URLs, Supabase Storage with a policy).

10. Configure E-commerce security

E-commerce → Settings → Checkout: confirm Stripe is the payment processor (not “test mode”), order confirmations include a signed receipt URL, and Webhook URLs in the Stripe dashboard match your Webflow project ID. Inventory updates should be webhook-driven (Stripe → Webflow), not client-side.

11. Manage SEO indexing for sensitive paths

Site Settings → SEO → Sitemap: exclude paths that should not be indexed. Page Settings → SEO → Index this page = off for: thank-you pages with token URLs, member-only pages, internal staging pages. Then add Disallow: entries to Site Settings → SEO → robots.txt.

12. Configure 301 redirects safely

Site Settings → Hosting → 301 redirects: avoid open redirects (a redirect from /r?to=... that obeys the query parameter). These are phishing pivots. Stick to specific path → path redirects, never path → arbitrary URL. See SSRF / open redirect / OAuth for the abuse pattern.

13. Review backup capabilities

Project → Backups: Webflow auto-backs up on save. Restore by selecting a backup and clicking “Restore.” Test the restore once before you need it; back up a test edit, restore, confirm.

14. Monitor site activity

Activity Log: review weekly for: bulk content deletions, unexpected publishes, new collaborators added, webhook integrations created. Each is normal in isolation; in clusters they’re the signature of a compromised editor account.

15. Restrict code export

Site Settings → General → Export Code: limit to admins. Exported HTML/CSS/JS includes any embedded keys and any custom code; it’s the same blast radius as the live site, just downloadable.

16. Run a security scan

The Security Headers Checker reports on your Webflow site’s response headers. The Vibe Code Scanner catches embedded keys and exposed CDN paths.

Related Resources

Free Self-Audit Suite

Five free scanners.

Vibe Coding Security Risk Guide

Full risk catalogue.

Automate Your Security Checks

VibeEval scans your published Webflow site for embedded credentials, missing security headers, and CDN-asset exposure.