CMS Item and Field Security

Hi, I am trying to understand how Webflow handles the security of CMS items under a few scenarios. Here are the scenarios:

  1. Item has been created, but isn’t published (let’s say it is saved as a “draft”).

In this case, I assume that there is no way for a viewer of the website to access the item.

  1. Item has been created and published; however some fields are intended as “internal only” (for example fields intended for the creator of the item at the editor level to help them track the status of items). The public page that shows the item to viewers does not contain those internal only fields.

In this case, can data from the “internal only” fields be accessed by viewers? For example are those fields still loaded even though they aren’t shown? And/or could a sophisticated viewer access the data via some sort of call to the database?

  1. Item has been created and published, but it is not being shown on a public page. (An example would be the item only being on a password protected page, or a filter being applied that excludes the item from what is shown publicly).

Similar to #2 above, can this record can still be accessed by a sophisticated viewer, even though no public page shows that item?

Thank you and apologies if this has been covered elsewhere – I took a look and couldn’t find information at this level.

No. Fields not mapped on a page don’t show their data. To access the database, one needs an API key.


Hi, thanks very much for the clarification. My assumption from this is that what is sent to a page is controlled server-side by Webflow, rather than a page being loaded and then “calling” the data from the server. Thus, unless I’ve specified that information should appear on a page, the information remains private.

I guess the one thing to watch out for is that Webflow will publish and list on the sitemap a page for each collection item; so I will need to be careful to either a) keep the CMS collection page behind a password; or b) keep the item as a draft, rather than published.

A query is made when you visit the page, the server crafts the page with necessary data, then the page is served. That happens on the first visit of the page, by anyone. Then the page is kept in cache as a static page, for efficiency, as long as there’s no CMS change to it.

Absolutely. Never expect to easily or efficiently control the privacy of content that’s on the same CMS collection, with some being public and other being private. Rethinking how you manage content if preferable. I personally would not be so at ease with relying on an item being Draft for it to be private. Cache happen everywhere and publishing accidents or bugs can happen too.

1 Like


Also recognize that some fields in the CMS, no matter what state its in are uploaded to a public CDN.

You don’t even have to finish creating your new CMS Collection item.

Just add an asset to a file / image field, don’t even save your new cms item, and it get’s immediately uploaded to a public CDN.

Now anyone with that public CDN url can access your files, and you never even created the CMS item.

Maybe you even hit the cancel button to back out of creating that new CMS item.

Doesn’t matter, it’s still live on a public CDN.

Make a mistake and upload the wrong document? It’s uploaded to the live CDN and there is no “delete” button for you to remove it.

Sure, if you didn’t post that public CDN url anywhere maybe no person (or search engine) will find it. Maybe. But that’s out of your control and you don’t really know what’s happening behind the scenes.

Food for thought.


@vincent - thanks very much for the further clarification, very helpful.

@ChrisDrit - I recall reading about this in a post, but hadn’t really focused on it. Seems like something Webflow needs to address, and users need to watch out for.

Its-gone GIFs - Get the best GIF on GIPHY