Implementation overview
per page JS and CSS
Minimize Use of Third-Party Scripts and Widgets
Defer Non-Critical JavaScript
Use Vanilla JavaScript or Lightweight Frameworks
Use secure frame headers
Enable HSTS for subdomains.
Enable HSTS preload header
Implement HTTPS by Setting Up an SSL Certificate
Use ARIA (Accessible Rich Internet Applications)
Ensure WCAG 2.1 Compliance for Accessibility
Make video accessible
Make simple and accessible animations.
Add Descriptive Alt Text for all important Images.
Ensure Sufficient Color Contrast for Text
Implement Keyboard Navigable Menus and Forms
Set your Robot.txt file
Set Up Proper 404 Error Pages with Useful Navigation
Implement Structured Data (Schema Markup)
Disable Webflow subdomain indexing
Use Global canonical URL
Optimize Fonts and Reduce Font Loading Times
Use a Content Delivery Network (CDN)
Minify CSS, JavaScript, and HTML
Implement Browser Caching and CDNs
Compress and render better images after uploading.
Optimize and Compress Images before uploading
Appropriate Sizing and Background Images
Set Image Above the Fold set to Eager.
Implement Lazy Loading for Images and Videos
Use Asynchronous Loading of CSS and JavaScript
Mobile testing focus
Implement Touch-Friendly Design Elements
Optimize Layouts for Screen Sizes and Orientations
Ensure Images Using srcset and sizes Attributes
Make Text Responsive with Fluid Typography
Mobile essential content
Ensure Breadcrumb Navigation for Better User Experience
Design a Logical and User-Friendly Navigation Menu
Create Intuitive URL Structures & Readable Slugs
Conduct a Heading Hierarchy
Use HTML5’s Semantic Tags For Better Architecture
Set a Clear Navigation and Structure Upfront

How to Enable HSTS for subdomains on Webflow?

Low impact
Super easy

HSTS with the includeSubDomains directive extends HTTPS enforcement from your main domain to every subdomain. Without it, your main domain might be HTTPS-only while a subdomain like blog.yourdomain.com or app.yourdomain.com could still be accessed over HTTP — creating a potential attack vector.

First: does this apply to you? If your Webflow site has no subdomains and never will, this item is largely informational. Many Webflow sites operate on a single www.yourdomain.com domain. If that's your case, includeSubDomains has no practical effect. If you run a staging environment, app, or marketing subdomain, or plan to add subdomains, it matters.

How it works: your server sends a Strict-Transport-Security header like max-age=31536000; includeSubDomains. Once a browser receives this, it treats all subdomains of your domain as HTTPS-only for the cached lifetime — typically one year. Any HTTP request to any subdomain is automatically upgraded to HTTPS by the browser, without touching your server first.

The risk to understand: includeSubDomains applies to subdomains you haven't set up yet. If you enable this header and then try to launch a new subdomain without HTTPS configured, that subdomain will be inaccessible to browsers that have cached the HSTS header. Make sure every subdomain you run or plan to run has a valid SSL certificate before enabling this directive.

Checking your configuration: visit securityheaders.com and enter your domain. It shows exactly what HSTS header you're sending and whether includeSubDomains is present. For Webflow-hosted sites, the header is controlled by Webflow's infrastructure — check what's actually being sent rather than assuming what's configured.

Monthly check: if you added a new subdomain since last month, verify it's serving HTTPS before the HSTS coverage puts pressure on it. Consistency across subdomains is what makes the header meaningful rather than a gap in your security posture. Use the internal Webflow SEO Checklist monthly review loop to stay on top of these infrastructure checks.

How to do it on Webflow?

  1. Enable SSL: Ensure SSL is enabled for your site in Webflow’s hosting settings.
  2. Add the HSTS Header for subdomains: Toggle the HSTS preload header for subdomains in your hosting settings.
Tools
Don't have the Checklist yet?
Download the Checklist