Webflow's CMS, edge functions, and Wized/Xano integrations create a specific security surface. Logic and data handling distributed across multiple services requires careful review.
These aren't hypothetical risks. These are the patterns our engineers find consistently when reviewing Webflow output.
Webflow CMS items can be publicly accessible via the API without authentication if collection visibility isn't configured correctly.
Custom code and edge functions in Webflow are frequently written without input validation or rate limiting, creating injection and abuse vectors.
Wized, Xano, and other backend integrations are often configured with overly permissive API keys shared across environments.
Webflow's cookie and form handling requires explicit configuration for GDPR compliance — particularly consent capture and data residency.