Learn how to improve your site’s security and performance.
You can utilize advanced publishing options to help your site load faster and protect your site from several kinds of clickjacking attacks.
Advanced publishing options are located in the publishing dropdown when designing or building in Webflow and under Site settings > Publishing tab > Advanced publishing options.
Enable SSL
SSL is enabled by default for sites created after November 14th, 2018.
To enable SSL on a site created before that date, set Enable SSL to on, save your changes, and publish your site.
You can toggle Enable SSL off, but keep in mind that sites that don’t use SSL may be labeled “not secure” by some browsers, strongly discouraging people from visiting your site. We strongly recommend enabling SSL.
For security, you cannot disable SSL on sites with Ecommerce or User Accounts enabled.
Minify HTML, CSS, JS
You can minify HTML, CSS, and/or JS separately. Minifying your site’s code can help your live website load faster, but can also make your code a little harder to read. Minifying the HTML can also fix spacing issues with inline-block elements.
Good to know
You can minify HTML, CSS, and JS independently of each other.
Asynchronously load JavaScript
Note
The option to asynchronously load JavaScript is gradually being rolled
out to all users. It requires a paid
Site plan or Workspace plan.
When Asynchronously load JavaScript is toggled off (default), the browser loads JavaScript files synchronously (i.e., one at a time and in a specific order) before rendering page content (HTML and CSS). This can slow down how quickly content becomes visible and interactive, especially if scripts are large or complex.
When Asynchronously load JavaScript is toggled on, the browser loads JavaScript files in parallel and at the same time as rendering page content. This allows visible content to load and become interactive more quickly, which can improve perceived load time and performance metrics. However, custom JavaScript that you’ve added to your site may not run as expected if it relies on JavaScript files being loaded synchronously.
Please note that you’ll need to click Save and publish your site after toggling on Asynchronously load JavaScript for the change to take effect on your live site.
Important
If your site uses custom JavaScript, toggling on
Asynchronously load JavaScript may prevent it from running
as expected. This happens when your custom JavaScript relies on Webflow
JavaScript that hasn’t been fully loaded by the browser. Depending on
your specific custom code, there are two main ways to delay its execution
and ensure it works when asynchronously loading JavaScript:
-
External JavaScript — add the
defer attribute to
<script> tags with a src attribute
to delay execution until the HTML is fully parsed.
-
Inline JavaScript — wrap inline JavaScript in a window load event
handler to ensure execution only happens after all resources are
loaded.
Learn more about asynchronously loading per page JavaScript.
Note
Webflow Support is unable to provide assistance with custom code. If
your custom JavaScript (JS) doesn’t work after enabling asynchronous
JS loading and publishing your site, we recommend disabling the feature
and republishing your site while you
work with a developer
or reach out in the
Webflow forum
for support.
Using secure frame headers protects your site from several kinds of clickjacking attacks by restricting where your site can be embedded. Enabling this option will add a couple of headers to your published pages to prevent the pages from being embedded in iframes.
For security, you cannot disable secure frame headers on sites with Ecommerce or User Accounts enabled.
Note
It isn’t possible to embed Webflow staging subdomains (e.g., yoursite.webflow.io) in iframes, due to Webflow staging domain security. However, if you add a custom domain or subdomain to your site, you can embed your site in iframes as long as Use secure frame headers is set to off.