Understanding SSL certificates

Important information about SSL and steps to edit SSL settings to meet your security needs.

Last updated December 17, 2024

All domains correctly pointing to your Squarespace site are automatically protected with free SSL certificates to improve security. SSL secures connections and prevents hackers from impersonating you or stealing visitors' information.

This guide explains how to select SSL settings based on what you need and other important information to know about your SSL certificate. If a warning about your site's security appears, try these troubleshooting steps.

Note

SSL is only included for domains pointing to Squarespace websites. If you have a Squarespace domain that points somewhere else, contact your website host to get an SSL certificate.

Watch a video

What you'll need

SSL certificates are automatically included for:

  • Squarespace domains (registered or transferred to Squarespace)
  • Connected third-party domains
  • Subdomains
  • Built-in domains

If there's something wrong with your domain connection, SSL certificates won't work. To ensure your domain is eligible for an SSL certificate:

  • If you’re using a third-party domain, it needs to be connected correctly. To check if there's an issue preventing SSL for your domain, review your DNS records in Squarespace.
  • If you're using a Squarespace domain, it must point to a Squarespace site. If your domain or subdomain is pointing away from Squarespace, contact your website host about an SSL certificate instead.

Domain names must be 63 characters or less to receive an SSL certificate.

Checking your SSL certificate status

SSL is automatically enabled. You don't need to do anything to set it up. To ensure your SSL certificate is active, do one of the following:

Choose SSL settings

If you have more complex security needs, you may need to change other settings.

To choose an SSL setting:

  1. Open the SSL panel
  2. Under Security preference, choose your settings. Usually, we recommend checking Secure and HSTS secure. Some special situations might need the Insecure option. For help, see SSL settings explained.
  3. Click Save.
  4. It can take up to 72 hours for the update to complete. For third-party domains that aren't connected yet, it may take a bit longer.
  5. While the certificate is processing, you may find an error message in your domain settings. This is normal. If it's been more than 72 hours, follow these troubleshooting steps.

SSL settings explained

Secure (Preferred)

Secure (Preferred) is the default setting that most sites need, along with HSTS enabled. Some domain providers and TLDs require it.

Secure means:

  • Visitors are always redirected to HTTPS after the certificate is issued, even if they entered HTTP in their browser.
  • Sitemaps include HTTPS links.
  • Search engines index the HTTPS version, which is good for SEO.
  • Your site won't load in browsers that don't support SSL.

HSTS Secure

If you’re using the Secure setting, we recommend keeping HSTS Secure enabled. HSTS Secure encrypts the connection and prevents potential attackers from accessing or impersonating your site. We recommend having your site Secure with HSTS Secure enabled on your site because it ensures  your site loads securely. Having an HSTS Secure site also prevents error messages from loading, such as “Your connection is not private”.

Insecure

Domains registered or connected before October 2016 are set to Insecure. If you decide to keep your site Insecure, ensure the domain’s SSL certificate is valid. Insecure means:

  • Visitors can access your site over both HTTP and HTTPS.
  • Sitemaps include HTTP links.
  • Search engines index the HTTP version.

Disabling HSTS or switching to the Insecure setting can temporarily prevent access to your site. Anyone who visited while HSTS was enabled will be blocked from your site until their HSTS policy for the site expires, which can take up to 72 hours.

SSL and commerce checkout

Your checkout page is protected by SSL to protect credit card information. Checkout pages are also Level 1 PCI compliant and use 128 bit SSL encryption. The checkout page is always secure, even if your site is using the Insecure SSL setting.

If your site is on the Commerce Basic or Advanced plan and Secure is checked, visitors will see your custom domain in the checkout URL.

Custom code and SSL warnings (mixed content)

Some pages on your site may have mixed content, meaning the page loads over a secure HTTPS connection, but some content loads over an insecure HTTP connection. Insecure content can come from mixed content such as:

If you choose the Secure setting, visitors may find browser warnings when they load mixed content from your site. To avoid this, edit your mixed content to fix error messages and loading issues.

Note

Custom code and mixed content modifications fall outside the scope of our support. This means that we’re unable to help further with setup or troubleshooting. Additionally, with a code-based solution, we can’t guarantee its functionality or full compatibility with Squarespace. This includes how it functions with our responsive design, particularly its appearance on mobile devices, and if it functions on all templates. Custom code can also cause display issues with future updates to our platform. While we can't help further, there are many resources that can point you in the right direction:

Check a site's SSL certificate

To check if SSL is protecting a page, look for a URL beginning with https:// and a closed padlock icon next to it.

You can view a domain's SSL details in most browsers, which can include information like the issuing certificate authority and how long the certificate is valid. To learn how to check if a site's connection is secure, visit your browser's documentation:

chrome ssl certificate

Technical details

Here are some technical details about our SSL certificates:

  • Let's Encrypt is our certificate authority partner for providing DV (Domain-Validated) SSL certificates that refresh every 90 days.
  • 2048-bit SSL encryption on all pages except checkout.
  • TLS version 1.2 for all HTTPS connections.
  • HTTP Public Key Pinning (HPKP) isn't currently supported.
  • You don't need a Certificate Signing Request (CSR) to get an SSL certificate. We issue certificates automatically.

Third-party SSL providers

We don't support installing third-party SSL certificates. If you use another SSL provider, like CloudFlare, you can switch to Squarespace's certificate.

To use Squarespace's SSL, disconnect your domain from your SSL provider and connect it from your domain provider or transfer it to Squarespace. After the domain is fully connected and using Squarespace DNS records, we'll generate a certificate.

Your site’s existing HTTPS traffic will be unavailable while your DNS changes process and we generate the certificate. During this time, you may see a certificate error in your SSL panel.

FAQ

What is SSL?

SSL (Secure Sockets Layer), is a technology that secures the connection between your browser and the website you’re visiting. All modern computer and mobile browsers support SSL. Websites using SSL will have URLs beginning with https://.

What are the benefits of SSL?

SSL protection has many benefits, including:

  • Creates trust with visitors by showing their information is secure and encrypted on your site.
  • Prevents hackers from stealing data visitors submit through your site's forms and checkout page, including personal information.
  • May help your site load faster.
  • Helps with SEO.

Can I disable SSL?

It’s not possible to remove SSL certificates because they keep your site secure and ensure the best experience for your visitors. However, you can choose the Insecure setting so visitors can still use the HTTP version, even with SSL enabled.

Does SSL slow down my site?

It can take a few extra seconds to authenticate a certificate and validate a site using the Secure setting. If you notice a big difference in load time, use our troubleshooting steps to check for other reasons your site might be loading slowly.

Does SSL work for subdomains?

Yes. Squarespace generates a certificate for each custom domain and subdomain connected to your website. This is also true for the "www" version of your domain, if you're using it separately from your naked domain.

If you're using your subdomain as your site's primary domain, uncheck Use WWW Prefix to prevent certificate errors.

If you have a third-party domain, ensure that it’s connected in your site’s Domains panel and not forwarded or pointed to another location.

Do I need to set my SSL to "Secure" to keep my account details private?

No. With any SSL setting, your site login password is always encrypted, and you're automatically redirected to a secure session to modify sensitive account information.

Does Squarespace 5 include SSL?

SSL is included in Squarespace 5. To learn more, visit Squarespace 5 and SSL.

Does Squarespace include Automated Certificate Management Environment (ACME) protocol?

No. Squarespace doesn't support ACME at this time. Learn more in About the Google Domains migration to Squarespace.

Troubleshooting

To learn more about certificate errors and other SSL-related warnings you might find on your site, visit Troubleshooting SSL.

Footer Image
  • Get help from our community

  • Get help from our community on advanced customizations.

  • Hire a Squarespace Expert

  • Stand out online with the help of an experienced designer or developer.

Understanding SSL certificates