Streaming live at 10am (PST)

Client has security concerns


#1

I’m creating a site for a client’s business, he is very concerned about security and people hacking into the site once it is live. All I’m reading about on here is SSL. What else can I bring to/ tell my client about security with Webflow that will put his mind at ease?


#2

Webflow is ISO 27018 compliant. That should answer most if not all of your Client’s concerns :wink:


#3

Nonetheless, I agree with you that it would be good for @webflow @thesergie to highlight a bit more what’s done in terms overall security, data protection and service SLAs. This is indeed an essential part of the sales pitch and a sensitive subject. We need more transparency or clearer information on this, especially as Webflow is about to directly offer an ecommerce solution (adding PCI / payment processing compliance information on that topic).


#4

Just thought i would add, if your client is trading within the EU, or your client is within an EU country it is important that under the GDPR coming into play on the 25th of May, that Webflow provides information on who can access the data you store on their servers. You also need to provide a way for clients to request a copy or be able to remove the information you may store if you have a client login or providing access to private data or allowing personal data to be stored via SQL.

Being ISO compliant does not in any way mean your data is secured. Although the hosting service of web-flow may be on an A- rated server (highest public access rating) and they will have server side security, the public directory files are often attempted to be exploited so that commonly known threats are unpackaged and your hosting/web service is used for spam exploits, basically your website starts sending high volumes of spam and your IP address can be blacklisted until the site is cleaned. I am unaware if Webflow use back-up capabilities, i host my own sites and do not us the database function of Webflow which you cannot use if you host your own sites, i also run my own security and restore options.

The database side of things is another thing, it uses something called MySQL, SQL databases create tables of data that the website calls and displays on pages where you define the data should be and the styling makes it look and feel like it’s a part of the web template. SQL injection attempts happen constantly by programmes/scripts often known as “bots” that will attempt to exploit your public directory files and folders and then “inject” code into your SQL database, again i am not sure what Webflow uses in terms of server side security software or how they would restore the data should it be exploited.

I do know and can tell you that under GDPR if they were ever exploited it is a legal requirement as of 25th May 2018 they would have to tell every single account holder what happened, when, what data was exploited and what was or has been done to resolve it.

Depending on how you host your clients website and what security Webflows hosting company uses has an impact on your security. I am sure Webflow uses the most up-to-date and reputable hosting and security available to protect it’s clients and their data hence the ISO rating they have stated.

As long as you have back-ups if hosting yourself, you can quickly restore a site, “BUT” you will have to investigate what was exploited in the first place to combat the exploit happening again, “IF” or “WHEN” this happened.

I have not seen or heard of a Webflow website being exploited to date and to be fair to Webflow, you can NEVER declare 100% protection due to the nature of hacking, they will ALWAYS find some way in if you have data they wish to exploit (highly unlikely) because code is not always full proof but developers always release bug patches and fixes to combat known code exploits.

Hope this helps.