HTTP response headers security

I am working with a client that is asking of we can set various security-related headers from our webflow hosted site:

content-security-policy, x-content-type-options, x-frame-options, x-xss-protection, strict-transport-security.

I can really see the value in being able to set some of these via an advanced options section in site settings to really help secure your site. For example as a simple one if I don't want someone embedding my site in an iframe, setting x-frame-options would be pretty nice. I can see that some of the others could get you into trouble but having a set of options for each that won't completely break my site would be nice 

Just to confirm, there is no way to set an option to control any of these, correct? I couldn't find anything.

In that case it sounds like a feature request but I wanted to toss this out there to get some general thoughts and comments, I'm no expert on website security.

written by: esassaman,



  • Dominik Roettger
  • Jul 8 2017
  • McAlvany Intelligence Advisor commented
    22 Jul 22:30

    Yes! Also need this - has anyone been able to achieve this?

  • Will Dean commented
    30 Jun 09:56

    Web security is really important. You definitely should know how to block porn and other malicious websites.

  • Nick DiMoro commented
    20 May 03:45

    Please, please please, we need this implemented. This is the final key to making webflow a 100% fast, secure web host, it's a no-brainer.

  • Matt Koshko commented
    14 May 01:16

    Curious to know if any of you have been successful with Webflow's team to get this addressed.

  • Alexander Brevig commented
    27 Mar 08:26

    Subsequently all sites hosted on webflow get the same score.

  • Chadwick Savage commented
    19 Feb 02:01

    Currently have a support ticket open asking about this before I found this post. This is much needed. Every webflow site I'm running through only has content security policy and x frame options as the current headers. 

  • Onedot Marketing commented
    21 Jan 14:51

    Same here, HSTS headers are a must in our opinion

  • Russ Shearer commented
    December 17, 2019 16:39

    Given many of these headers are legal requirements for compliance with CCPA and GDPR, I'd love to see an update from Webflow on this.

  • ShijiHetras Team commented
    November 13, 2019 10:45

    Webflow team, any news about the feature?

  • Jaime Delgado commented
    October 28, 2019 09:47

    This is a must-have for all 3 of our projects - you have security headers easily with WordPress but not with Webflow?

  • Axel Sturmann commented
    June 20, 2019 16:26

    This would also be very helpful to me. Facebook Pixel does not track across sub-domains unless you call that Pixel into your sub-domain pages via an iFrame. But this is not allowed by Webflow (i.e. hosting the Pixel code on my main domain with Webflow, and calling that page into my sub-domains via an iFrame) . The above request would solve this problem.