Reminder: Individualized security headers are exclusively accessible to Webflow Enterprise clients. They are part of Enterprise site packages.
Personalized security headers contribute an additional coating of safety to any of your publicly accessible websites, and can obstruct actions like cross-site scripting attacks, iframe embedding, and other domain level security concerns.
In this module, you will find out:
- Details about Webflow-approved headers
- Instructions on enabling and incorporating a personalized security header
- Guidelines for removing a personalized security header
- Steps to activate HSTS response header
Details about Webflow-approved headers
Webflow currently endorses the following headers:
- x-xss-protection
- x-content-type-options
- x-frame-options
- referrer-policy
- x-permitted-cross-domain-policies
- timing-allow-origin
- content-security-policy
- feature-policy
- expect-ct
- strict-transport-security (enabled in Advanced publishing options)
For detailed information regarding each of these headers, their structure, and browser compatibility, visit the MDN web docs.
Reminder: Webflow does not currently back the permissions-policy header. We recommend using the feature-policy header instead.
Instructions on enabling and adding a personalized security header
To activate personalized security headers on a site, please get in touch with our Sales team. They will grant access to the feature on a per-site basis, enabling you to append or modify the personalized security headers on each site as required.
To include a personalized security header (after enabling the feature on your site):
- Access Site settings > Publishing tab and navigate to Custom Headers
- Switch Enable Custom Site Headers to “Yes”
- Select a header from the Header dropdown
- Insert a value into the Value field
- Click Add header
Please keep in mind, the personalized security header will not become effective until you re-publish your site. To publish your site, scroll to the top of Site settings and click Publish.
Reminder: Current headers cannot be edited (the existing one must be removed to insert new values).
Instructions on deleting a personalized security header
To erase a personalized security header from your site:
- Navigate to Site settings > Publishing tab and scroll to Custom Headers
- Click the “trash” icon next to the header you wish to remove
Steps to activate HSTS response header
The HTTP strict-transport-security (HSTS) response header is also accessible. To enable strict-transport-security, navigate to Site settings > Publishing tab> Advanced publishing options.
There are 3 HSTS options available, which can be toggled “on” or “off”:
- Enable HSTS – HSTS will only function on a site with a custom domain
- Enable HSTS with subdomains – HSTS can solely be activated on subdomains if the root site also has HSTS turned on
- Enable HSTS Preload Header – HSTS Preload instructs browsers to add your site to the preload list. Warning: this may render your site unreachable if any subdomain uses HTTP, and if “Enable HSTS with subdomains” is also enabled.
Reminder: If you encounter missing images or assets while viewing the live, published site, double-check the accuracy of the header value. Errors in the syntax of the Value field can create problems on the published site.
Essential: Due to security and liability concerns, our support and success teams cannot provide direct assistance with setting up or resolving issues related to personalized security headers. If you encounter problems with personalized security headers, please inform us on the Webflow Forum, where the entire Webflow community (including staff) can offer additional assistance and resources.
- Include or eliminate Workspace spots and members - April 15, 2024
- Centering box summary - April 15, 2024
- Store a site for future reference - April 15, 2024