Asset privacy

Updated

Understand asset and file privacy in Webflow.

When you upload an asset (e.g., a PDF file or an image) to the Assets panel or to a Collection field, that asset is also imported to Amazon Web Servers (AWS) and delivered via our content delivery network (CDN). This generates a unique filename that also links the file to your site.

Files you upload to the Assets panel or Collection field are not restricted — that is, they are publicly available and discoverable, but won’t necessarily be discovered or indexed by search engines if the file isn’t on a publicly viewable webpage or linked elsewhere.

Scenarios where assets are potentially discoverable

There are a few scenarios where assets uploaded to your site could potentially be discovered or indexed by search engines:

  • You have a direct link to the uploaded asset
  • The unique filename (GUID) can be guessed
  • The asset is linked or shared somewhere (e.g., a Collection page or static page contains or links to the asset)
  • The asset is on a publicly viewable webpage for Google or other search engines to crawl and index the asset

If you’ve accidentally uploaded a sensitive file, you can request to remove the file from our CDN.

Note

If a Collection page links to the file, or if the file is linked elsewhere on a static page (or a Collection page) via a CMS Collection list, Google can crawl the page and index any links it follows.

How to prevent discovery of uploaded assets

You can prevent discovery of uploaded assets with a few methods:

It’s important to note that these methods will not remove restricted files that have already been indexed by search engines. If a restricted file has already been indexed by search engines, you can request to remove the file from our CDN.

Password protection

If a page containing the asset or a link to the asset is password protected, the link won’t be found on the page. This is because the page returns a password protected response — and the content won’t be loaded or indexed.

However, if the page that contains the asset or link to the asset is not initially password protected and becomes password protected at a later time, search engines may have already crawled and indexed the content — including any links to files on the page. In this instance, the actual file link is still loadable and search engines would continue to index that file. In other words, the link to the uploaded file is not password protected — only the page itself is password protected.

Additionally, private files on password protected pages may be indexed if the page’s password protection relies on custom scripts (rather than Webflow’s native password protection feature). Because search engine crawlers crawl with JavaScript disabled, custom scripts will not prevent private files from being crawled or indexed.

To avoid indexing a link (such as a link to a PDF file), you can set a rel=nofollow attribute on links to the file you want to restrict.

To set the nofollow custom attribute on links:

  1. Select the link on which to set the custom attribute
  2. Go to Element settings panel > Custom attributes
  3. Click the “plus” icon
  4. Add “rel” in the Name field and “nofollow” in the Value field
  5. Click out of the modal to save the attribute
Important

The nofollow attribute is only a suggestion to search engines to not follow the link with the attribute to the restricted file. Search engines may still index the file if they crawl the file from a link elsewhere. Additionally, the nofollow attribute will not remove restricted files that were already indexed by search engines.

Restricted access form file upload

Assets uploaded through form file uploads when Restrict file upload access is toggled “off” are not restricted. To restrict files uploaded via form file upload, go to Site settings > Forms > Restrict uploaded file access and toggle Restrict file upload accesson.”

Files uploaded via restricted form file upload access are not accessible for search engines to index or for others to view without being logged in to a Webflow account with access to those form submissions. Learn more about restricting access to form file uploads.

Note

Files uploaded via restricted form file upload access cannot be used on CMS Collection pages or static pages. This is because their links are restricted and require logged-in access.

How to remove files from our CDN

If you’ve accidentally uploaded a sensitive file, you can request to have the file removed from our CDN so the link to the file will lead to a 404 error and search engines will eventually un-index the files from search results.

If the file was uploaded to the Assets panel, follow these steps to have it removed from our CDN:

  1. Create a list of links to all assets you want to delete
  2. Remove all instances of the asset(s) from your site
  3. Delete the asset(s) in the Assets panel (note that deleting the asset(s) from the Assets panel will not remove all instances of the asset(s) from your site)
  4. Contact customer support with your list of file links

Learn more about deleting assets from the Assets panel.

If the file was uploaded to a Collection field, follow these steps to have it removed from our CDN:

  1. Create a list of links to all files you want to delete
  2. Remove or replace the file(s) in the Collection field(s) so they are no longer connected to your Collection items
  3. Contact customer support with your list of file links