AviaryAI: Webflow Security Headers & SEO
Overview
During the 2026-02-04 weekly sync, Mark Hope flagged that AviaryAI's Webflow site has significant security header gaps — only an HSTS (Strict-Transport-Security) policy is in place. This is both a security concern and an SEO signal Google weighs negatively. The issue is compounded by Webflow's platform constraints, which limit the low-level server configuration that would normally address these gaps.
See also: [1] | [2]
The Problem
Missing Security Headers
Mark's review of the site identified that only the Strict-Transport-Security (STS/HSTS) header is configured. Standard headers that are absent include:
- Content-Security-Policy (CSP) — controls which resources the browser is allowed to load
- X-Frame-Options — prevents clickjacking by disallowing the site from being embedded in iframes
- X-Content-Type-Options — prevents MIME-type sniffing
- Referrer-Policy — controls how much referrer information is passed with requests
- Permissions-Policy — restricts access to browser features
Google's crawlers and ranking algorithms treat missing security headers as a quality signal. An incomplete header configuration can suppress rankings, particularly for sites already struggling with thin content.
Webflow Platform Constraint
Mark noted that his normal remediation workflow involves SSH access and direct PHP/server configuration. Webflow abstracts away this layer entirely — there is no direct server access. This means:
- Standard
.htaccessornginx.confedits are not possible - Security headers must be configured through Webflow's built-in settings, custom code injection, or a CDN/proxy layer (e.g., Cloudflare)
- Risk of breaking the site is higher when working around platform constraints
"I normally fix websites by going in SSH and working in the guts, and I don't think I can do that in Webflow without blowing something up." — Mark Hope
Recommended Remediation Approaches
Given Webflow's constraints, the practical options for adding security headers are:
- Cloudflare (preferred): Route the site through Cloudflare and configure security headers at the CDN edge via Transform Rules. This is the most robust solution and does not require touching Webflow internals.
- Webflow Custom Code /
<head>injection: Some headers (e.g., CSP as a<meta>tag) can be partially implemented via Webflow's custom code injection, though<meta>-based CSP has limitations compared to true HTTP headers. - Webflow Hosting Settings: Webflow's enterprise/advanced plans expose limited HTTP header controls — worth auditing what the current plan allows.
SEO Implications
Security headers are one factor in a broader SEO remediation effort for AviaryAI. The site's current organic performance is severely limited:
- ~5 organic visits/month
- Only 2 indexed keywords
- Core pages have fewer than 200 words of text (below Google's indexing threshold)
Security header gaps compound the thin-content problem. Addressing both in parallel is the recommended approach. See [2] for the content remediation strategy.
Site Structure Constraints
Justin Dwyer confirmed that two pages are off-limits for structural changes:
- Homepage — messaging is locked around the voice agent product
- Safety & Security page — content and structure to remain consistent
All other pages are available for SEO restructuring. This is relevant context when planning where to add security-related trust signals or copy.
Action Items (from 2026-02-04 call)
| Owner | Task | Status |
|---|---|---|
| Mark Hope | Add security headers to Webflow site | Open |
Related Notes
- [1]
- [2]
- [3]