---
title: 'AviaryAI: Webflow Security Headers & SEO'
type: article
created: '2026-02-04'
updated: '2026-02-04'
source_docs:
- raw/2026-02-04-aviaryai-weekly-call-119843123.md
tags:
- webflow
- security-headers
- seo
- client:aviaryai
layer: 2
client_source: null
industry_context: null
transferable: true
---
# AviaryAI: Webflow Security Headers & SEO
## Overview
During the 2026-02-04 weekly sync, Mark Hope flagged that AviaryAI's Webflow site has significant security header gaps — only an HSTS (Strict-Transport-Security) policy is in place. This is both a security concern and an SEO signal Google weighs negatively. The issue is compounded by Webflow's platform constraints, which limit the low-level server configuration that would normally address these gaps.
See also: [[clients/aviaryai/_index]] | [[knowledge/website/thin-content-indexing]]
---
## The Problem
### Missing Security Headers
Mark's review of the site identified that only the `Strict-Transport-Security` (STS/HSTS) header is configured. Standard headers that are absent include:
- **Content-Security-Policy (CSP)** — controls which resources the browser is allowed to load
- **X-Frame-Options** — prevents clickjacking by disallowing the site from being embedded in iframes
- **X-Content-Type-Options** — prevents MIME-type sniffing
- **Referrer-Policy** — controls how much referrer information is passed with requests
- **Permissions-Policy** — restricts access to browser features
Google's crawlers and ranking algorithms treat missing security headers as a quality signal. An incomplete header configuration can suppress rankings, particularly for sites already struggling with thin content.
### Webflow Platform Constraint
Mark noted that his normal remediation workflow involves SSH access and direct PHP/server configuration. Webflow abstracts away this layer entirely — there is no direct server access. This means:
- Standard `.htaccess` or `nginx.conf` edits are not possible
- Security headers must be configured through Webflow's built-in settings, custom code injection, or a CDN/proxy layer (e.g., Cloudflare)
- Risk of breaking the site is higher when working around platform constraints
> *"I normally fix websites by going in SSH and working in the guts, and I don't think I can do that in Webflow without blowing something up."* — Mark Hope
---
## Recommended Remediation Approaches
Given Webflow's constraints, the practical options for adding security headers are:
1. **Cloudflare (preferred):** Route the site through Cloudflare and configure security headers at the CDN edge via Transform Rules. This is the most robust solution and does not require touching Webflow internals.
2. **Webflow Custom Code / `` injection:** Some headers (e.g., CSP as a `` tag) can be partially implemented via Webflow's custom code injection, though ``-based CSP has limitations compared to true HTTP headers.
3. **Webflow Hosting Settings:** Webflow's enterprise/advanced plans expose limited HTTP header controls — worth auditing what the current plan allows.
---
## SEO Implications
Security headers are one factor in a broader SEO remediation effort for AviaryAI. The site's current organic performance is severely limited:
- ~5 organic visits/month
- Only 2 indexed keywords
- Core pages have fewer than 200 words of text (below Google's indexing threshold)
Security header gaps compound the thin-content problem. Addressing both in parallel is the recommended approach. See [[knowledge/website/thin-content-indexing]] for the content remediation strategy.
### Site Structure Constraints
Justin Dwyer confirmed that two pages are off-limits for structural changes:
- **Homepage** — messaging is locked around the voice agent product
- **Safety & Security page** — content and structure to remain consistent
All other pages are available for SEO restructuring. This is relevant context when planning where to add security-related trust signals or copy.
---
## Action Items (from 2026-02-04 call)
| Owner | Task | Status |
|-------|------|--------|
| Mark Hope | Add security headers to Webflow site | Open |
---
## Related Notes
- [[clients/aviaryai/_index]]
- [[knowledge/website/thin-content-indexing]]
- [[meetings/2026-02-04-aviaryai-weekly-call]]