Webflow's August 2022 security incident was a phishing attack on an employee, not a platform vulnerability. The company disclosed it promptly, notified affected users, and tightened internal controls. That track record matters. The bigger security questions for most Webflow users are not about the platform's infrastructure but about how they use three specific features: the CMS API, Memberships, and custom code.
Here is what Webflow's security actually looks like and where the real exposure points are.
TL;DR
Webflow is safe for public marketing sites and CMS-driven content. The platform runs on AWS with Fastly CDN, holds SOC 2 Type II certification, and handles SSL, DDoS protection, and managed hosting. The risks are specific: CMS API v1 tokens have full read/write access with no scope limits, Webflow Memberships has no MFA support, and custom code runs in browsers with no sandboxing. For public sites with no user accounts and no sensitive data collection, Webflow is a solid choice.
What Webflow Controls (Platform Security)
Webflow hosts on AWS infrastructure with Fastly as the CDN. Every published site gets automatic HTTPS via Let's Encrypt certificates, HTTP-to-HTTPS redirects enforced by default, and DDoS mitigation at the CDN edge. You do not configure any of this manually.
Webflow holds SOC 2 Type II certification (achieved 2021), which means an independent auditor verified their security controls over an extended period. They also support GDPR-compliant data processing agreements for EU customers, and Enterprise plans include data residency options.
For static marketing sites and CMS-driven content, this is more than adequate. There is no server for you to patch, no database connection string to protect, and no exposed admin port. The platform's defaults are sensible.
CMS API Token Scope
Webflow's older v1 CMS API uses a Site API Token generated in Project Settings. This token has full read and write access to all content in your project. There is no way to make it read-only or scope it to a specific collection.
If you embed this token in client-side JavaScript (for example, in a custom frontend that fetches CMS data directly from the browser), anyone who opens your browser's network tab can extract it. With that token, they can create, modify, or delete every CMS item on your site.
Never put your Webflow Site API Token in frontend JavaScript. Any request using it must go through a server-side function (Netlify function, Cloudflare Worker, Next.js API route) that keeps the token in an environment variable on the server.
Webflow's v2 API (released 2024) introduced OAuth-based access with granular scopes. If you are building a new integration, use the v2 API and request only the permissions your integration actually needs (for example, cms:read without cms:write). For public read-only CMS queries, use the Webflow Delivery API (it requires only your Site ID, not an auth token, and is safe to call from client-side code).
Webflow Memberships
Webflow Memberships is the platform's built-in user authentication feature, available on Business and Enterprise plans. It lets visitors create accounts, log in, and access gated content via Access Groups.
The security limitations are real:
- No MFA or 2FA. Webflow Memberships does not support multi-factor authentication as of 2026. Accounts are protected by email and password only.
- No brute-force controls you configure. Webflow does apply some internal rate limiting, but there is no UI to set lockout policies, view failed login attempts, or enforce minimum password strength beyond what browsers suggest.
- No row-level data permissions. Access Groups let you gate whole pages or CMS collection views, but you cannot say "User A can see records 1-50, User B can see 51-100" at the data level.
- No IP allowlisting. You cannot restrict Memberships logins to a specific IP range.
If your gated content includes financial documents, health data, legal contracts, or any information with regulatory requirements, Webflow Memberships alone is not sufficient. Consider Memberstack, Outseta, or a proper backend auth service (Auth0, Clerk) that supports MFA and audit logs.
For a simple gated blog, course material, or member newsletter with no sensitive personal data, Memberships is functional and the risk profile is acceptable.
Custom Code and Third-Party Embeds
Webflow's Custom Code feature (Site Settings > Custom Code > Head or Footer) lets you inject arbitrary HTML, CSS, and JavaScript into every page on your site. Individual pages can also have their own custom code via Page Settings. The Embed element in the Webflow Designer does the same within a specific section.
All of this code runs in your visitors' browsers with no sandboxing. It can read cookies, fire network requests to any server, and access everything on the page. Webflow does not validate or security-scan this code before publishing.
This is the most common way a Webflow site gets compromised without any Webflow platform fault: a founder adds a third-party analytics or chatbot script, that script's CDN gets compromised, and all visitors are affected.
Before adding any third-party script to your Webflow custom code, check that the script is loaded from the vendor's official CDN and consider adding a Subresource Integrity (SRI) hash to the script tag so browsers reject modified versions. Most major vendors publish SRI hashes in their documentation.
Content-Security-Policy headers are not available on standard Webflow plans. Webflow Enterprise supports custom response headers. For non-Enterprise plans, place Cloudflare in front of your Webflow site and use Cloudflare Transform Rules to inject a CSP header.
Form Data Handling
Native Webflow forms store submissions in your Webflow Dashboard, accessible to all project collaborators. For simple contact forms, this is fine. For forms collecting personal data (addresses, phone numbers, date of birth), you should route submissions to a dedicated tool (Airtable, Notion, a CRM) via Zapier or Webflow Logic, and not rely on the dashboard as a long-term data store.
Webflow Logic can automate post-submission workflows but does expose any API keys you add as workflow variables to collaborators with Editor access. Treat Logic workflow variables the same as environment variables in code: use service accounts with minimal permissions, rotate keys periodically.
The 2022 Security Incident
In August 2022, Webflow disclosed that a phishing attack on an employee gave unauthorized parties access to a list of customer email addresses. Webflow sent breach notifications to affected users, described the scope, and described the remediation steps they took.
This was a social engineering attack on a human, not a platform vulnerability. Webflow's response (disclosure, notification, remediation) was appropriate. It is the kind of incident that can happen to any company and the response is what matters.
Security Checklist for Webflow Sites
Is Webflow safe for a business website?
Yes, for public marketing sites and CMS-driven content. Webflow handles SSL, DDoS protection, SOC 2 Type II infrastructure, and automatic HTTPS. The risks show up when you use Webflow Memberships for user logins (no MFA support), expose your CMS API token in client-side code, or add unvetted third-party scripts via custom code embeds.
Does Webflow have security vulnerabilities?
Webflow the platform has a strong security posture. The risks come from how you configure it. CMS API tokens (v1) have full read/write scope with no collection-level scoping. In August 2022, Webflow disclosed that a phishing attack on an employee exposed customer email addresses; they notified affected users and improved internal controls.
Is Webflow Memberships secure?
Webflow Memberships works for basic gated content but has limits: no MFA/2FA support, no IP allowlisting, and no row-level data permissions. For anything involving financial data, PII, or regulatory requirements, pair it with a backend auth service (Memberstack, Clerk, Auth0) that supports MFA and audit logs.
Can Webflow custom code steal my visitors' data?
Any code in Webflow's Custom Code section runs in your visitors' browsers with full page access. It can read cookies, fire requests to external servers, and access any DOM content. Webflow does not validate or sandbox this code. Audit every script before adding it and prefer vendors that publish Subresource Integrity hashes.
How do I protect my Webflow CMS API token?
Never include your CMS API token in client-side JavaScript or public repositories. Use the v2 API with OAuth scopes when building new integrations. For public-facing CMS queries, use the read-only Delivery API (requires only your Site ID, not an auth token).
CheckYourVibe checks your Webflow site for exposed scripts, missing security headers, and third-party risks before launch.