Webflow

Webflow

Website design and hosting platform used by designers and development teams to build and host custom sites. Webflow scripts manage responsive layout rendering and form submissions on Webflow-hosted sites. Webflow's Ecommerce feature adds cart and checkout tracking scripts.

Back to Vendor Library

Overview

Webflow is a visual web design and hosting platform that allows designers to build custom, responsive websites without traditional coding. Webflow hosts over 200,000 live sites. Sites built and hosted on Webflow load a Webflow runtime script that manages layout animations, interactions, and form submissions — this script is essential infrastructure for any Webflow-hosted site.

What This Script Does

Webflow's client-side presence consists of a core runtime script and optional feature-specific modules.

Script Files and Domains

  • webflow.js — The primary Webflow runtime. Loaded from d3e54v103j8qbb.cloudfront.net (Webflow's CloudFront CDN) or directly from assets.website-files.com. Approximately 80–150KB minified.
  • webflow-js.webflow.com — Alternative CDN domain used for some deployments.
  • Form submissions POST to webflow.com/api/v1/form/{form-id} — Webflow's form processing endpoint.
  • Webflow Ecommerce: additional scripts load from assets.website-files.com for cart and checkout functionality.

Cookies Set

  • .AspNetCore.Antiforgery.* — Anti-CSRF token cookie set on form pages to validate form submission authenticity. Session-scoped. Required for form submissions to succeed.
  • wf_csrf — Webflow CSRF protection cookie for form submissions. Session-scoped.
  • webflow-session — Set on Webflow-hosted sites to maintain session state for authenticated areas (Webflow Memberships). Persists for the configured session duration.

Webflow Ecommerce Cookies

  • wf_cart — Shopping cart state for Webflow Ecommerce sites. Stores cart item IDs and quantities. Session-scoped or persists for up to 30 days depending on configuration.
  • wf_checkout — Checkout flow state cookie. Session-scoped.

Data Collected Per Interaction

  • Form submissions: all user-entered field values are transmitted to Webflow's servers and stored in the Webflow Ecommerce/CMS database. Email notifications are sent to the site owner.
  • No behavioral tracking data is collected by Webflow's core runtime — the script does not send pageview events, click events, or user behavior data to Webflow.
  • Ecommerce: product views, cart events, and purchase completions are tracked for the site owner's Webflow dashboard.

Webflow Interactions and Animations The Webflow runtime manages CSS transitions, scroll-triggered animations, and mouse-tracking interactions built with Webflow's visual designer. These run entirely in-browser without network calls.

Webflow Memberships (if enabled) Webflow Memberships adds user authentication. Members log in via Webflow's authentication system, which sets JWT-based session cookies. Member data (email, profile fields) is stored in Webflow's CMS.

Consent & Compliance

Consent category: Essential / Functional

  • GDPR/ePrivacy: Webflow's core runtime and CSRF cookies are strictly necessary for site functionality. The runtime provides rendering and layout — without it, Webflow-hosted sites would not display correctly. CSRF cookies protect form submissions. Both are exempt from consent requirements under ePrivacy's strictly necessary exemption. Form data submitted by users requires appropriate disclosure in the privacy policy, but the act of loading the form script does not require prior consent.
  • CCPA/CPRA: Webflow processes form submission data as a service provider on behalf of the site owner. No independent sale or sharing by Webflow occurs.
  • Ecommerce cookies: Cart and checkout cookies are strictly necessary for e-commerce functionality. Users cannot complete a purchase without them, qualifying them for the strictly necessary exemption.
  • EU-US Data Privacy Framework: Webflow is a US company. It participates in the DPF and offers SCCs.

Should You Block This Without Consent?

No. Webflow's core scripts and cookies are essential infrastructure for Webflow-hosted websites. Blocking them would break page rendering, interactions, animations, and form submissions. No cross-site tracking, advertising, or behavioral profiling is performed by Webflow's runtime. The ecommerce cookies are strictly necessary for shopping functionality.

Visit website

Consent Categories

Essential
Functional

Also Known As

WebflowWebflow CMSWebflow Ecommercewebsite builder cookiesWebflow scriptno-code platform

Industries

Computers Electronics and TechnologyProgramming and Developer Software

Tracked Domains (1)

website-files.comEssential

Frequently Asked Questions

Is consent required for Webflow on my website?

No for core functionality. Webflow's runtime script and CSRF cookies are strictly necessary for Webflow-hosted sites to render and process forms. Ecommerce cart and checkout cookies are also strictly necessary. The core runtime performs no cross-site tracking or behavioral profiling. No consent gate is needed for essential Webflow infrastructure.

What cookies does Webflow set?

Webflow sets AspNetCore.Antiforgery.* and wf_csrf as session-scoped CSRF cookies required for form submissions. Webflow Memberships sets a JWT session cookie for authenticated users. Ecommerce sites get wf_cart (cart state, up to 30 days) and wf_checkout (session-scoped). The core runtime sends no behavioral tracking data to Webflow.

How does ConsentStack detect Webflow?

ConsentStack identifies Webflow through webflow.js from Webflow's CloudFront CDN or assets.website-files.com. Classified as essential and functional with no blocking on the core runtime. ConsentStack distinguishes Webflow's infrastructure scripts from any third-party analytics or marketing tools added separately to a Webflow-hosted site.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Webflow

ConsentStack automatically detects and manages Webflow trackers so your site stays compliant with global privacy regulations.

Get started free