🛡️ Sterling Webflow Security Guidelines

1. 🔐 Admin & Access Control

• Team Roles:
  
  

  • Only assign Admin access to trusted collaborators.
    
    

  • Use Editor role for content creators — never give them design access.
    
    

• 2FA:
  
  

  • Enable Two-Factor Authentication (2FA) on all Webflow and email accounts associated with Sterling.
    
    

• Webflow Login:
  
  

  • Avoid logging in from shared/public devices.
    
    

  • Do not share credentials via email or chat. Use secure platforms like 1Password or Bitwarden.
    
    

2. 🌍 Hosting & Domains

• SSL Certificate:
  
  

  • Ensure SSL is enabled in Webflow's hosting settings. (Auto-redirect all traffic to HTTPS).
    
    

• Custom Domain:
  
  

  • Keep domain registrar login secured with strong passwords and 2FA.
    
    

  • Set auto-renew to avoid expiration risks.
    
    

• Subdomain Security:
  
  

  • Disable unused subdomains or redirects.
    
    

3. 🔒 Webflow Project Settings

• Password Protection:
  
  

  • Use page-level password protection for private or under-development pages.
    
    

• Site Backups:
  
  

  • Regularly create backups before any major update.
    
    

• Custom Code Security:
  
  

  • Review and sanitize all embedded <script> and <iframe> tags.
    
    

  • Avoid loading scripts from unknown or unverified sources.
    
    

4. 🧾 Forms & Data Handling

• Form Spam Protection:
  
  

  • Enable Google reCAPTCHA in Webflow forms.
    
    

• Form Data Access:
  
  

  • Restrict who can access form submissions in the dashboard.
    
    

• External Integrations:
  
  

  • Review and validate third-party form handlers or CRMs.
    
    

  • Use Webhook URLs only from trusted platforms.
    
    

5. 🧩 Third-Party Tools

• Vet all integrations (e.g., analytics, live chat, CRMs) before embedding.
  
  

• Avoid any plugins or scripts that:
  
  

  • Load external JS from untrusted domains.
    
    

  • Request excessive permissions (cookies, device info, etc.).
    
    

• Maintain a list of all third-party tools/scripts used on the site.
  
  

6. 📊 Analytics & Tracking

• Use trusted tools only (e.g., Google Analytics, Plausible, Fathom).
  
  

• Disclose tracking with a cookie consent banner if required by GDPR/CCPA.
  
  

• Don’t store sensitive user data in tracking tools.
  
  

7. 👥 Team Management & Workflow

• Rotate passwords and API keys when a team member leaves.
  
  

• Regularly audit project access (quarterly is ideal).
  
  

• Keep a changelog or notes of major edits (especially custom code changes).
  
  

8. 🔄 Recovery & Contingency

• Download regular site backups (Webflow’s version history + local backups of important assets).
  
  

• Maintain contact info for domain/hosting support.
  
  

• Set up emergency procedures (who to contact, how to roll back, etc.).