Webflow Security Checklist
Last updated: January 12, 2026
Use this checklist to ensure your Webflow application is secure before launch. 2 critical items require immediate attention.
Why This Security Checklist Matters
Security checklists serve as systematic guides for identifying vulnerabilities that might otherwise be overlooked during rapid development cycles. For Webflow applications specifically, this checklist addresses the most common security gaps that emerge when using AI-assisted development workflows.
Research from multiple security organizations indicates that approximately 80% of AI-built applications contain at least one exploitable vulnerability at launch. The vulnerabilities are often predictable—they follow patterns that this checklist is designed to catch. By systematically reviewing each item, you significantly reduce the risk of launching an insecure application.
Unlike generic security checklists, this guide focuses specifically on vulnerabilities prevalent in Webflow applications. Each item has been prioritized based on real-world attack patterns and the potential impact of exploitation. Critical items should be addressed before any production deployment.
Critical Priority
Critical items can lead to complete application compromise, data breaches, or unauthorized access to all user accounts. These must be addressed before deploying to production. Attackers actively scan for these vulnerabilities.
High Priority
High priority items represent significant security risks that could allow unauthorized access to sensitive data or functionality. While not immediately catastrophic, these vulnerabilities should be fixed as soon as possible.
Medium/Low Priority
Medium and low priority items strengthen your overall security posture. While they may not be immediately exploitable, addressing them prevents attack chains and defense-in-depth gaps.
Manual vs Automated Security Checking
While manual security reviews are thorough, they're time-consuming and prone to human error. Automated scanning catches common vulnerabilities instantly, freeing you to focus on business logic and complex security decisions.
Items VAS Automates
- Exposed API keys and secrets in JavaScript bundles
- HTTP security header configuration
- Supabase RLS policy testing
- Firebase Security Rules validation
- Cookie security attributes
Manual Review Still Required
- Business logic vulnerabilities
- Custom authentication implementations
- Access control logic in API routes
- Data validation requirements
- Third-party integration security
CMS Security
Review CMS collection visibility
Ensure sensitive collections aren't publicly accessible
Don't store secrets in CMS
CMS content can be exposed via API - keep secrets elsewhere
Configure collection access appropriately
Use collection restrictions for member-only content
Review API access settings
Check who can access your Webflow CMS via API
Custom Code Security
Review all embedded code
Custom code blocks can introduce XSS vulnerabilities
Only embed code from trusted sources
Third-party scripts can execute arbitrary code
Validate embed URLs
Ensure iframe embeds point to legitimate sources
Test custom code for vulnerabilities
Review any JavaScript for security issues
Form Security
Enable reCAPTCHA on forms
Prevent spam and bot submissions
Don't collect sensitive data without HTTPS
AutoWebflow includes HTTPS - ensure it's not disabled
Be careful with form data
Form submissions are stored in Webflow - consider privacy
Validate form integrations
Review webhook and Zapier integrations for data handling
Access Control
Use Memberships for protected content
Use Webflow Memberships rather than obscurity for access control
Review team member permissions
Ensure team members have appropriate access levels
Protect staging sites
Use password protection for staging domains
Audit site settings
Review publishing and access settings
Explore Related Resources
Don't Check Manually
VAS automatically checks 1 of these 16 items. Get instant results with detailed remediation guidance.
Run Automated Security ScanFrequently Asked Questions
Can users see my custom code in Webflow?
Yes, all custom JavaScript in Webflow runs client-side and is visible in browser DevTools. Never include API keys, passwords, or secret business logic in custom code embeds. Use serverless functions for secure operations.
How do I protect Webflow forms from spam?
Enable reCAPTCHA on form elements in Webflow's designer. For custom forms, add honeypot fields and server-side validation. Consider using a form backend service that includes spam filtering.