HTTP response headers security

I am working with a client that is asking of we can set various security-related headers from our webflow hosted site:

content-security-policy, x-content-type-options, x-frame-options, x-xss-protection, strict-transport-security.

I can really see the value in being able to set some of these via an advanced options section in site settings to really help secure your site. For example as a simple one if I don't want someone embedding my site in an iframe, setting x-frame-options would be pretty nice. I can see that some of the others could get you into trouble but having a set of options for each that won't completely break my site would be nice 

Just to confirm, there is no way to set an option to control any of these, correct? I couldn't find anything.

In that case it sounds like a feature request but I wanted to toss this out there to get some general thoughts and comments, I'm no expert on website security.

written by: esassaman, https://forum.webflow.com/t/setting-various-webflow-host-http-headers-for-security/44925

Thanks 

Dominik

  • Dominik Roettger
  • Jul 8 2017
  • Tim Nyquist commented
    16 Jul 16:49

    Here to pile on sentiments that my non-Enterprise site should be able to pass securityheaders.com/penetration testing without routing through Cloudflare. 🥺

    While I appreciate the recent addition of HSTS, we still need to add X-Content-Type-Options (Why no toggle for nosniff under Advanced publishing options while you were already breaking out subdomains and preload?), Referrer-Policy and Permissions-Policy security headers.

    Speaking of which, why does Webflow still prioritize the outdated Features-Policy? 🤔

  • Hey Gianluca commented
    September 18, 2023 15:44

    Security Headers should not be a enterprise only features in my eyes. Since most of them can be set for our Wordpress client with a couple of lines inside a htaccess file.

  • Eliana Franco commented
    September 11, 2023 21:40

    Hi all, we just redesigned our site and moved it over to Webflow, only to find out that we are on Core and can't add custom security headers. This a HUGE problem for us. Will this be available to all customers soon or is there a manual workaround that we can implement?

  • Rien commented
    August 23, 2023 12:02

    Unbelievable that security settings/headers are only available to Enterprise customers. Thinking about using cloudflare or the like to fix this. Any suggestions?

  • Stuart Hare commented
    January 18, 2023 09:35

    We have recently moved to Webflow, reading the guides and working with the agency before we agreed to move, we believed Security Headers would be available.

    Since moving over to Webflow we have now found that they are only available to Enterprise customers.

    Can security headers please be made available to all paid plans?

    Fundamental Security MUST be a standard offering for all users of any service NOT just Enterprise customers.

  • Brian Wong commented
    December 12, 2022 09:09

    A financial institution partner is running an audit on our webflow landing pages and found that the default security headers are insufficient.


    They keep insisting we upgrade; however, we're stuck because custom security headers is only available to Webflow Enterprise customers.


    This is becoming a dealbreaker for us - can we please get support for this feature?

  • Sven Wiegert commented
    October 10, 2022 13:31

    THIS should be a MUST HAVE in no matter which option and not just in ENTERPRISE!!!! Especially in EU countries. Otherwise many freelancers and web agencies are going to have HUUUUUUUUGE problems with GDPR. If this doesn't become a default feature, many EU-people gotta stop working with Webflow. And that would be really sad.

  • Daniel commented
    September 07, 2022 15:00

    Why can't they just release a simple security pack for an extra $3 a month? Otherwise just give it standard. If a Google check says this is a security risk it should be addressed. Small organisations can't afford Enterprise Lite.

  • Omer Rimoch commented
    August 24, 2022 06:41

    This definitely seems like a basic option that should be at least be available in the Business option.

  • Erik Runbeck commented
    March 25, 2022 21:00

    I believe that this is available in Enterprise Lite now, right?

  • Guest commented
    February 18, 2022 21:19

    You can host the Site with Stacket: https://stacket.app/ where you want, and then add the security headers what you prefer :)

  • Anthony Pilger commented
    February 09, 2022 13:27

    This has been the deal breaker on many projects, and it's pretty much the same scenario.

    It's an easy sell to creatives and account people when all they can see are the visual aspects of Webflow, great content editing and layout tools. But when we start talking hosting and infosec related matters, it's a deal breaker.

    Not having this means we need to introduce new tooling to get around this issue, either by creating proxy servers or custom pipeline scripts to handle the exporting and rebuilding of site with dynamic content.

    There ways to work around this, but it's annoying, costly and fragile. So the result is just referring them to another tool or process.


  • Andrew Thompson commented
    August 10, 2021 03:35

    Hey, this is becoming a bit of a problem. Can we please have the ability to put our own headers on our website? If not add some standards in there such as

    • X-Content-Type-Options

    • Strict-Transport-Security

    • Referrer-Policy

    • Permissions-Policy


    Thanks

  • Adam Rich commented
    May 13, 2021 20:55

    Adding X-Content-Type-Options: nosniff should be a trivial change

  • Mark Thurman commented
    March 31, 2021 10:48

    This seems an obvious target to implement - but doing so in such a way that limits the self harm that can come from incorrect set-up is the real deal right? I have financial sector clients (non transactional sites & marketing) that I can't realistically use for Webflow because a simple scan of the headers (even of webflow.com !) shows a poor 'D' rating.


    Curiously, the security rating that Webflow sites score for their headers varies. When you look at the enterprise showcase sites of HelloSign and Brandland.Zendesk they receive a D and an F respectively. The Zendesk site has no CSP or X-Frame options set, whereas HelloSign at least has those 2.

    Which begs the question? Did the Zendesk site happen before these became a core part of Webflow or did one of these two clients get some customisation aspect?

    Either way - some beefing up of the offering here would go a long way to meeting the basic expectations of more larger clients.

  • Laura Kim commented
    December 11, 2020 15:49

    Need this as well! Any updates?

  • McAlvany Intelligence Advisor commented
    July 22, 2020 22:30

    Yes! Also need this - has anyone been able to achieve this?

  • Nick DiMoro commented
    May 20, 2020 03:45

    Please, please please, we need this implemented. This is the final key to making webflow a 100% fast, secure web host, it's a no-brainer.

  • Matt Koshko commented
    May 14, 2020 01:16

    Curious to know if any of you have been successful with Webflow's team to get this addressed.

  • Alexander Brevig commented
    March 27, 2020 08:26

    https://securityheaders.com/?q=https%3A%2F%2Fwebflow.com%2F&hide=on&followRedirects=on

    Subsequently all sites hosted on webflow get the same score.

  • Load older comments
  • +138