Implementation overview
per page JS and CSS
Minimize Use of Third-Party Scripts and Widgets
Defer Non-Critical JavaScript
Use Vanilla JavaScript or Lightweight Frameworks
Use secure frame headers
Enable HSTS for subdomains.
Enable HSTS preload header
Implement HTTPS by Setting Up an SSL Certificate
Use ARIA (Accessible Rich Internet Applications)
Ensure WCAG 2.1 Compliance for Accessibility
Make video accessible
Make simple and accessible animations.
Add Descriptive Alt Text for all important Images.
Ensure Sufficient Color Contrast for Text
Implement Keyboard Navigable Menus and Forms
Set your Robot.txt file
Set Up Proper 404 Error Pages with Useful Navigation
Implement Structured Data (Schema Markup)
Disable Webflow subdomain indexing
Use Global canonical URL
Optimize Fonts and Reduce Font Loading Times
Use a Content Delivery Network (CDN)
Minify CSS, JavaScript, and HTML
Implement Browser Caching and CDNs
Compress and render better images after uploading.
Optimize and Compress Images before uploading
Appropriate Sizing and Background Images
Set Image Above the Fold set to Eager.
Implement Lazy Loading for Images and Videos
Use Asynchronous Loading of CSS and JavaScript
Mobile testing focus
Implement Touch-Friendly Design Elements
Optimize Layouts for Screen Sizes and Orientations
Ensure Images Using srcset and sizes Attributes
Make Text Responsive with Fluid Typography
Mobile essential content
Ensure Breadcrumb Navigation for Better User Experience
Design a Logical and User-Friendly Navigation Menu
Create Intuitive URL Structures & Readable Slugs
Conduct a Heading Hierarchy
Use HTML5’s Semantic Tags For Better Architecture
Set a Clear Navigation and Structure Upfront

How to Enable HSTS preload header on Webflow?

Medium impact
Super easy

HSTS (HTTP Strict Transport Security) is a security header that tells browsers to always connect to your site over HTTPS, never HTTP — even if a user types the HTTP version of your URL. It prevents protocol downgrade attacks, where an attacker intercepts a connection before HTTPS is established and serves malicious content over the unencrypted channel.

HSTS preloading takes this further. Browser vendors maintain a hardcoded list of domains that are always loaded over HTTPS — the HSTS preload list. Sites on this list are HTTPS-only from the very first request, before a browser has ever seen any HSTS header. For regular HSTS, the first visit might still go through a brief HTTP request before the header is received and cached. Preload eliminates that window entirely.

How HSTS works: when your server sends the Strict-Transport-Security header, the browser caches it. For the duration of the max-age value (typically one year = 31536000 seconds), the browser refuses HTTP connections and automatically uses HTTPS. The includeSubDomains directive extends this to all subdomains.

Checking your current HSTS configuration: visit securityheaders.com or run a header check tool on your domain. Look for the Strict-Transport-Security response header. For Webflow-hosted sites with SSL enabled, Webflow sends this header — check what max-age and directives are currently set.

Getting on the HSTS preload list: visit hstspreload.org. To qualify: HTTPS with a valid certificate, HTTP-to-HTTPS redirect, HSTS header with max-age of at least 31536000, includeSubDomains directive, and the preload directive. Submission to inclusion can take weeks to months via browser updates.

The critical caveat: HSTS preload is difficult to undo. Once your domain is on the list, it takes 6–12 months to remove, and browsers enforce it until they update. Only submit if you're committed to HTTPS on all subdomains indefinitely. Submitting prematurely — before all subdomains have SSL — is a common mistake that breaks those subdomains for all users with a cached browser update.

Monthly check: verify your HSTS header is present with the correct max-age. If you've submitted to the preload list, check hstspreload.org for your domain's current status. For most Webflow sites, the standard HSTS header is sufficient. Preload is worth considering if security compliance or enterprise trust signals matter to your audience.

How to do it on Webflow?

  1. Enable SSL: Ensure SSL is enabled for your site in Webflow’s hosting settings
  2. Add the HSTS Header: In your hosting settings, toggle the HSTS preload header
Tools
Don't have the Checklist yet?
Download the Checklist