Framer

Framer Security Best Practices

Secure your Framer website with these essential practices. From form protection to custom code security.

Get Starter Scan

Verify your app follows these best practices automatically.

Framer handles hosting security, but you're responsible for application-level security. These practices help you build secure websites on Framer.

Quick Wins

Review custom code for exposed API keys
Enable form spam protection
Verify SSL certificate is valid
Audit third-party embeds
Review team access permissions

Security Best Practices

#1Secure Custom Code Blocks

critical

Custom code (HTML, CSS, JS) can introduce vulnerabilities. Review all custom code for security issues.

Implementation

Audit code overrides and embeds for XSS vulnerabilities

#2Never Expose API Keys

critical

Client-side code in Framer is visible to all visitors. Never include API keys in custom code.

Implementation

Use serverless functions or proxy services for API calls requiring secrets

#3Enable Form Spam Protection

high

Forms can be targeted by bots. Enable reCAPTCHA or similar protection.

Implementation

Configure form spam protection in Form Settings

#4Verify SSL Configuration

high

Ensure HTTPS is enabled and working for your domain.

Implementation

Framer provides automatic SSL, verify custom domains have valid certificates

#5Review Third-Party Integrations

high

Audit the security of any third-party scripts or embeds you add.

Implementation

Only embed from trusted sources, review what data integrations access

#6Control Editor Access

medium

Limit who has edit access to your Framer project.

Implementation

Review team members and their permissions regularly

Common Mistakes to Avoid

API keys in custom code

Why it's dangerous:

All client-side code is visible to visitors

How to fix:

Use serverless functions for API calls requiring secrets

Forms without spam protection

Why it's dangerous:

Bots can flood forms with submissions

How to fix:

Enable reCAPTCHA or honeypot fields

Untrusted embed scripts

Why it's dangerous:

Third-party scripts have access to your page

How to fix:

Only embed from trusted sources, review script behavior

Verify Your Framer App Security

Following best practices is the first step. Verify your app is actually secure with a comprehensive security scan.

Get Starter Scan

Frequently Asked Questions

Is Framer secure for business websites?

Yes, Framer handles hosting security (SSL, DDoS protection). You're responsible for application security like forms, custom code, and third-party integrations.

How do I hide API keys in Framer?

You can't hide secrets in client-side Framer code. Use Framer's integrations, webhooks, or external serverless functions for API calls requiring secret keys.

Are Framer forms secure?

Framer forms use HTTPS. Enable additional spam protection for production sites to prevent bot submissions.

Related Framer Security Resources

Framer Security OverviewFramer Security IssuesFramer Security RisksIs Framer Safe?

Similar Platforms

Webflow Best PracticesBubble Best PracticesVercel Best Practices

More on Framer Security

Every angle of Framer security — from the specific findings we detect to step-by-step fixes.

Framer Security Scanner

Hub page: scan your Framer app for vulnerabilities.

Framer Security Risks

Specific risks we find in Framer apps, with real-world examples.

Framer Security Issues

Issues grouped by severity with detection and fix steps.

Is Framer Safe?

Honest assessment of Framer's production readiness.

Framer Security Checklist

Pre-launch checklist covering every finding class for Framer.

How to Secure Framer Apps

Step-by-step hardening guide for Framer deployments.

Can Framer Apps Be Hacked?

Attack vectors specific to Framer and how they get exploited.

Last updated: April 2026