HTTP response headers security

I am working with a client that is asking of we can set various security-related headers from our webflow hosted site:

content-security-policy, x-content-type-options, x-frame-options, x-xss-protection, strict-transport-security.

I can really see the value in being able to set some of these via an advanced options section in site settings to really help secure your site. For example as a simple one if I don't want someone embedding my site in an iframe, setting x-frame-options would be pretty nice. I can see that some of the others could get you into trouble but having a set of options for each that won't completely break my site would be nice 

Just to confirm, there is no way to set an option to control any of these, correct? I couldn't find anything.

In that case it sounds like a feature request but I wanted to toss this out there to get some general thoughts and comments, I'm no expert on website security.

written by: esassaman, https://forum.webflow.com/t/setting-various-webflow-host-http-headers-for-security/44925

Thanks 

Dominik

  • Dominik Roettger
  • Jul 8 2017
  • Daniel commented
    7 Sep 03:00pm

    Why can't they just release a simple security pack for an extra $3 a month? Otherwise just give it standard. If a Google check says this is a security risk it should be addressed. Small organisations can't afford Enterprise Lite.

  • Omer Rimoch commented
    24 Aug 06:41am

    This definitely seems like a basic option that should be at least be available in the Business option.

  • Erik Runbeck commented
    25 Mar 09:00pm

    I believe that this is available in Enterprise Lite now, right?

  • Guest commented
    18 Feb 09:19pm

    You can host the Site with Stacket: https://stacket.app/ where you want, and then add the security headers what you prefer :)

  • Anthony Pilger commented
    9 Feb 01:27pm

    This has been the deal breaker on many projects, and it's pretty much the same scenario.

    It's an easy sell to creatives and account people when all they can see are the visual aspects of Webflow, great content editing and layout tools. But when we start talking hosting and infosec related matters, it's a deal breaker.

    Not having this means we need to introduce new tooling to get around this issue, either by creating proxy servers or custom pipeline scripts to handle the exporting and rebuilding of site with dynamic content.

    There ways to work around this, but it's annoying, costly and fragile. So the result is just referring them to another tool or process.


  • Andrew Thompson commented
    10 Aug, 2021 03:35am

    Hey, this is becoming a bit of a problem. Can we please have the ability to put our own headers on our website? If not add some standards in there such as

    • X-Content-Type-Options

    • Strict-Transport-Security

    • Referrer-Policy

    • Permissions-Policy


    Thanks

  • Adam Rich commented
    13 May, 2021 08:55pm

    Adding X-Content-Type-Options: nosniff should be a trivial change

  • Mark Thurman commented
    31 Mar, 2021 10:48am

    This seems an obvious target to implement - but doing so in such a way that limits the self harm that can come from incorrect set-up is the real deal right? I have financial sector clients (non transactional sites & marketing) that I can't realistically use for Webflow because a simple scan of the headers (even of webflow.com !) shows a poor 'D' rating.


    Curiously, the security rating that Webflow sites score for their headers varies. When you look at the enterprise showcase sites of HelloSign and Brandland.Zendesk they receive a D and an F respectively. The Zendesk site has no CSP or X-Frame options set, whereas HelloSign at least has those 2.

    Which begs the question? Did the Zendesk site happen before these became a core part of Webflow or did one of these two clients get some customisation aspect?

    Either way - some beefing up of the offering here would go a long way to meeting the basic expectations of more larger clients.

  • Laura Kim commented
    11 Dec, 2020 03:49pm

    Need this as well! Any updates?

  • McAlvany Intelligence Advisor commented
    22 Jul, 2020 10:30pm

    Yes! Also need this - has anyone been able to achieve this?

  • Nick DiMoro commented
    20 May, 2020 03:45am

    Please, please please, we need this implemented. This is the final key to making webflow a 100% fast, secure web host, it's a no-brainer.

  • Matt Koshko commented
    14 May, 2020 01:16am

    Curious to know if any of you have been successful with Webflow's team to get this addressed.

  • Alexander Brevig commented
    27 Mar, 2020 08:26am

    https://securityheaders.com/?q=https%3A%2F%2Fwebflow.com%2F&hide=on&followRedirects=on

    Subsequently all sites hosted on webflow get the same score.

  • Chadwick Savage commented
    19 Feb, 2020 02:01am

    Currently have a support ticket open asking about this before I found this post. This is much needed. Every webflow site I'm running through securityheaders.com only has content security policy and x frame options as the current headers. 

  • Onedot Marketing commented
    21 Jan, 2020 02:51pm

    Same here, HSTS headers are a must in our opinion

  • Russ Shearer commented
    17 Dec, 2019 04:39pm

    Given many of these headers are legal requirements for compliance with CCPA and GDPR, I'd love to see an update from Webflow on this.

  • ShijiHetras Team commented
    13 Nov, 2019 10:45am

    Webflow team, any news about the feature?

  • Jaime Delgado commented
    28 Oct, 2019 09:47am

    This is a must-have for all 3 of our projects - you have security headers easily with WordPress but not with Webflow?

  • Axel Sturmann commented
    20 Jun, 2019 04:26pm

    This would also be very helpful to me. Facebook Pixel does not track across sub-domains unless you call that Pixel into your sub-domain pages via an iFrame. But this is not allowed by Webflow (i.e. hosting the Pixel code on my main domain with Webflow, and calling that page into my sub-domains via an iFrame) . The above request would solve this problem.
    Thx,
    Ax

  • +115