How to fix passive scan only on Webflow

Steps for Webflow

1. Webflow is managed SaaS; you cannot run DAST against Webflow's hosting infrastructure. Direct active scanning is not permitted.
2. Focus DAST on any custom code added via the Webflow Designer's Embed elements or Page Settings → Custom Code sections — extract this code and review it manually or run it in an isolated test harness.
3. If your Webflow site connects to external APIs (e.g. a custom backend, Xano, or Make/Zapier flows), deploy a staging copy of that backend and scan it with OWASP ZAP.
4. Audit third-party scripts loaded by your Webflow site (Designer → Pages → Page Settings → Before/After </body>) — remove any scripts not actively needed, as third-party JS is a primary attack vector.
5. Ensure Webflow's built-in SSL is active (Webflow Dashboard → Hosting → SSL) and that form submissions do not expose sensitive data in Webflow's form notification emails.
6. For ecommerce stores handling significant transaction volume, evaluate exporting to a self-hosted environment (Webflow export + custom hosting) where full DAST is possible.

What is passive scan only?

Automated security scanners that check your live store passively — inspecting HTTP headers, TLS certificates, cookies, and DNS records — can only see what is publicly visible without logging in or submitting forms. They cannot detect deeper vulnerabilities like SQL injection, broken authentication, insecure API endpoints, or business-logic flaws. Dynamic Application Security Testing (DAST) tools, such as OWASP ZAP, actively probe a running copy of your application the way a real attacker would — sending crafted requests, testing login flows, and fuzzing inputs — to surface vulnerabilities a passive scan will never find. Running DAST against a staging environment (never your live store) gives you a much more complete security picture before code reaches customers.

Security misconfigurations and undetected vulnerabilities are the #5 risk on the OWASP Top Ten and are a leading cause of data breaches in ecommerce — exposing customer payment data, personal information, and admin credentials. A breach can result in PCI-DSS non-compliance fines, chargebacks, loss of payment-processor accounts, and severe reputational damage that directly destroys revenue. Relying solely on passive header checks leaves entire attack surfaces — checkout flows, account login, coupon logic, admin APIs — completely untested. Adding even a basic DAST scan to your pre-release checklist dramatically reduces the chance of shipping a critical vulnerability to production.

See the complete Passive scan only guide for every platform and the full background.