Allowing paying customers to edit content security policy on their sites

I’d like to be able to load my webflow site in an iframe. I understand the need to block this functionality for free accounts but I’d should be able to relax the Content Security Policy to allow this behavior given I’m a paying customer.

It would probably make sense more broadly to allow paying customers to completely override the CSP. It’s their website and, to a large extent, they should have a great deal of control over how their website interacts with other content on the web.

Please advise.



I think this is to prevent people to use the CMS without paying for it. CMS make use of servers and its price is in the CMS hosting. So either you’re designing a static website that you can export and host wherever you want, either you’re designing a CMS website and there’s a need to pay for server queries, which aren’t covered by your designer plan.

I’m not from Webflow but this makes sense to me.

@vincent thanks for your comment.

Yes, I acknowledged that fact in my initial question. For the non-paying webflow users this would allow them to circumvent the custom domain paywall. This is understandably not allowed.

But for already paying webflow customers, there is no problem in letting them embed their webflow site in an iframe. Am I missing a separate issue with the CMS other than the one I raised in my initial post?

P.S. I’m paying for hosting and the CMS.


@vincent Someone recommended that we set up a content-security-policy that allows another site (sister company) to embed content on their site. Is this advisable?

I have absolutely no clue about this.

  1. Open Site settings > Publishing tab and scroll to Advanced publishing options
  2. Turn off the Use secure frame headers option

Your website should now be allowed to be embedded as an iFrame by other websites that are not in your domain.