Webflow claims to support x-content-type-options and referrer-policy Security Headers. When a site is checked against a security header checker, Webflow sites that are not on Enterprise are missing these. If these are supported, why are they not allowed by default. Being able to add these items is certainly not worth the cost to move to Enterprise. I love using Webflow and want to move all my clients to the platform, but this issue makes that a hard sell. When can Webflow do something about this? Also, when will the permissions-policy header also be an option? Webflow, please help us all to be successful on your platform.
Webflow don’t offer many server configuration options in general.
No server side code, custom headers, custom SSL, domain-specific redirects, WAF, etc on the non-Enterprise plans.
The reasoning is pretty clear though. Not many would use it, and it adds complexity, which translates to testing, bug risk, and support costs.
I haven’t checked, but I’d guess most SaaS hosting platforms are very similar in this regard.
When I need these features ( very rarely ), it’s easy to add with Cloudflare as a reverse proxy setup on top of standard Webflow hosting, and you can customize it exactly the way you want.