Note: While our most popular guides have been translated into Spanish, some guides are only available in English.
Squarespace and SSL

All Squarespace Domains and third-party domains include free SSL certificates when connected and pointing to Squarespace sites. With SSL enabled automatically, your visitors can access a constant, secure connection on every page of your site. Through SSL, your visitors see a lock icon next to your URL in the browser, showing that their information is safe.

Use the SSL panel to customize your settings, and follow this guide to learn how to ensure a secure connection throughout your site. 

Tip: If you use a third-party SSL provider, like CloudFlare, you can switch to Squarespace's certificate. See the FAQ below for details. 
Note: It's not possible to install custom SSL certificates at this time.

What is SSL?

Secure Sockets Layer, or SSL, is a technology that secures the connection between your browser and the website you’re visiting. To verify that SSL is protecting a page, look for a URL beginning with https://, instead of http://, and a green, closed padlock icon. This allows visitors to navigate the website and submit information through a secure connection.

SSL provides three important security benefits:

  • Privacy: Encrypts the connection between the browser and web server and securely transmits information (like login credentials) to prevent unauthorized parties from eavesdropping.
  • Data integrity: Prevents unauthorized parties from altering data during transmission (like during a Form Block submission).
  • Authentication: Protects against impersonation by requiring web server proof of identity.

Enabling SSL may help your site load faster, as Squarespace uses HTTP/2 for SSL-enabled sites. It may also help more visitors find your site: in 2014, Google announced that SSL-secured websites would potentially enjoy a rankings boost in their search results.

How Squarespace uses SSL

If you have custom domains linked and pointed to your Squarespace site, we automatically generate an SSL certificate for your site. This allows visitors to view your site over an HTTPS connection. This is automatically included for Squarespace Domains and third-party domains that point to Squarespace. We use 2048 bit SSL encryption on all pages except checkout pages, and we use TLS version 1.2 for all HTTPS connections.

If you’re using a third-party domain, ensure that it’s correctly connected and pointing to your site to allow a secure SSL connection. Specifically, confirm that you’re using our required CNAME records and A records and that the domain points to Squarespace.

Tip: You may be using outdated DNS records. If your records don't match the CNAME and A records linked above, disconnect the domain, then reconnect it.

When your site loads with SSL protection enabled, you’ll see a lock icon and https:// next to the URL in the browser bar:

Your site includes two SSL-related security settings, depending on what you need:

  • Secure (Preferred) - All visitors are redirected to HTTPS, even if they entered the HTTP version in their browser. Sitemaps contain HTTPS links and search engines index the HTTPS version. Unsupported browsers can’t load your site.
  • Insecure - Visitors can access your site over both the standard connection (HTTP) and SSL secure connection (HTTPS). Sitemaps contain HTTP links and search engines index the HTTP version. 
Note: RSS feeds always use HTTP links instead of HTTPS, even when the Secure setting is enabled. This helps keep your feed visible to feed readers and other services.

Choose a setting in the SSL panel:

  1. From the Home Menu, click Settings, click Advanced, and then click SSL.
  2. Under Security Preference, choose a setting.
Note: If you're using a parking page, click SSL in the main parking page menu, then choose a setting.

After enabling a security preference, your site can take up to 72 hours to process the update. For third-party domains that aren't correctly connected yet, it may take a bit longer. 

Screen_Shot_2018-11-08_at_1.32.00_PM.png

Using HSTS Secure

When you’re using the Secure SSL setting, you can also enable HSTS Secure for an added layer of security. Enabling HSTS Secure ensures the connection is encrypted and prevents potential attackers from accessing or impersonating your site. If you think of a visit like a letter being sent from the visitor’s browser to your site, HSTS certifies that letter and ensures that only the correct recipient can open it.

When a visitor first loads your HSTS-enabled site, their browser remembers the secure version of the URL for future access. The next time they visit your site, their browser will load this secure, HTTPS version. As long as they continue to access your site from the same browser, they’ll always access the HTTPS version of your site, even if they switch to a different network. Your visitors won’t notice anything different on your site, except that the URL in their browser will always start with https://.

If you’re using the Secure setting for your site, we recommend keeping HSTS Secure enabled as well. However, you may want to switch to the Insecure setting if your visitors need access over HTTP or your site uses a lot of mixed content.

Note: If you need to switch to the Insecure setting, ensure that the domain’s SSL certificate is valid. Certificates with errors may also cause browser errors for your visitors.

Older browsers

Some older browsers don’t support the high security standards required by our SSL certificates. 

Unsupported browsers include:

  • All versions of Internet Explorer on Windows XP
  • Internet Explorer versions older than 7
  • Firefox versions older than 2.0
  • Safari versions older than 2.1
  • Any Google Chrome version older than 6

Unsupported mobile browsers include:

  • All versions of Safari running iOS older than 4.0
  • Any Android browser running on a version older than 3.0 (Honeycomb)
  • Any Windows Phone browser running on a version older than 7

Visitors loading your site on these browsers may have trouble loading the secure, HTTPS version of your site. In some cases, they might not be able to load it at all.

To avoid these issues, we recommend using a supported browser to visit or edit any Squarespace site.

Mixed content

Some pages on your site may have mixed content, meaning the page loads over a secure HTTPS connection, but some content loads over an insecure HTTP connection. Insecure content can come from:

Since mixed content on your website degrades HTTPS site security, if you choose the Secure setting, visitors may see a browser warning when they load mixed content from your site. To avoid this, use the Insecure SSL setting, or switch to other blocks that support your content securely.

SSL and Commerce

If you sell products with Squarespace Commerce, your checkout page is protected by SSL to keep your customers’ credit card data safe and secure. On checkout pages, we’re Level 1 PCI compliant and use 128 bit SSL encryption.

When a customer checks out on your store, they’ll see a lock icon in their browser. If your site is on the Commerce Basic or Advanced plan and you have the Secure SSL setting enabled, they’ll also see your custom domain in the checkout URL. To learn more, visit Checkout on Your Domain.

Note: If your site is using the Insecure setting, your URL will start with https://secure.squarespace.com, even if the site is on the Commerce Basic or Advanced plan. The checkout page is still secure for your customers, but it won’t support your custom domain.

Certificate status errors

If we have trouble generating a certificate for your domain, you'll see an error message in your Security & SSL panel.

Red: There's an issue to resolve

If the error message has a red !, we couldn’t generate an SSL certificate for the listed domains. In some cases, the certificate may need more time to process. New domains may take up to 72 hours to fully connect and generate the certificate. It could also mean the domain isn’t properly pointing to your site.

First, wait a full 72 hours for the certificate to generate. After 72 hours, you can try refreshing the certificate to see if it helps. Opening its DNS settings automatically refreshes the status:

  • If you're using a Squarespace Domain, click the domain in the Domains panel, then click Advanced Settings.
  • If you're using a third-party domain, click the domain in the Domains panel, then click DNS Settings

If the status doesn't change after refreshing, review the following settings: 

Blue: In progress

If the message has a blue with the text SSL certificates have not been issued for the following domains, that means we're still processing the SSL certificate. New domains may take up to 72 hours to fully connect and generate the certificate, so in most cases, it just needs more time.

You'll usually see this if you very recently:

  • Registered a Squarespace Domain
  • Transferred a domain to Squarespace
  • Connected a third-party domain

You can try refreshing the certificate to see if it helps. Opening its DNS settings automatically refreshes the status:

  • If you're using a Squarespace Domain, click the domain in the Domains panel, then click Advanced Settings.
  • If you're using a third-party domain, click the domain in the Domains panel, then click DNS Settings

If the status doesn't change after refreshing, it still needs more time to generate. 

View an SSL certificate

Most browsers let you view a domain's SSL certificate details, which can include information like:

  • Issuing Certificate Authority (CA)
  • How long the certificate is valid
  • Certificate serial number
  • Key usage
  • Thumbprint

To view an SSL certificate, visit your site from its custom domain and click the lock icon next to the URL. Depending on your browser, you'll see links to more detailed information.

Here's an example of how this looks in Chrome on a desktop:

chrome_ssl_certificate.jpg

For more help viewing SSL certificate details, contact your browser's support.

FAQ

Which setting should I use?

The best setting for your site depends on your site’s content and the type of visitors you anticipate. Most users will benefit from Secure with HSTS enabled, which provides a secure connection to all supported browsers.

Do I need a Squarespace Domain to use SSL?

No. SSL is available for any Squarespace Domains and third-party domains connected to your site. If you have a third-party domain, ensure that the domain is properly connected to your site by confirming your CNAME records and A records.

Can I use a custom certificate?

It isn’t currently possible to install a custom SSL certificate on a Squarespace site.

Will SSL work for subdomains?

Yes. Squarespace generates a certificate for each custom domain and subdomain connected to your website, whether it’s a Squarespace Domain or hosted by a third party. This also true for the "www" version of your domain, if you're using it separately from your naked domain. 

If you're using your subdomain as your site's primary domain, ensure that you uncheck Use WWW Prefix to prevent certificate errors. 

If you have a third-party domain, ensure that it’s connected in your site’s Domains panel and not forwarded from another location.

Will SSL work on mobile browsers?

Yes. Your site is still protected by SSL as long as your visitors are using a supported browser.

Will SSL slow down my site?

You may notice a slight difference in site load time over HTTPS, as the secure connection takes time to authenticate the certificate and validate the site. In most cases, the difference is only a few seconds.

If you’re noticing a big difference in load time, use our troubleshooting steps to rule out other possible site issues, like content-heavy pages or custom code integrations. 

I see a certificate error for my third-party domain, but my DNS settings are correct. 

If you're seeing an error for your third-party domain, but you've already checked your records, we might not be able to issue a certificate because of a problem with your domain provider. To fix this, we recommend one of the following options:

I see a browser warning when I visit my domain. 

If you've enabled the Secure setting in your SSL panel, you may still see a privacy warning when you visit your domain. Depending on your browser, the message may be "Your connection is not private, "Your connection is not secure," or something similar. This happens when your browser detects insecure content on the page.

To resolve this, use our troubleshooting steps to check your site for mixed content or a certificate error. If you're still having trouble, check for issues related to your browser

I’m using a third-party SSL provider for my site. Should I disable it?

If you’re using an external provider for SSL, like CloudFlare, you can disable this and use Squarespace’s automatic SSL protection for custom domains. However, note that Squarespace can’t generate a certificate for your domain until you point your domain to our servers. Your site’s existing HTTPS traffic will be unavailable while your DNS changes propagate and Squarespace generates the certificate. During this time, you may see a certificate error in your SSL panel. 

Will my custom domain appear during Commerce checkout?

Yes. If your site is on the Commerce Basic or Advanced plan and using the Secure SSL setting, your customers will see your custom domain during checking. If you’re using the Insecure setting, they’ll see a URL beginning with https://secure.squarespace.com… instead.

Do SSL-enabled sites support HPKP?

No. Squarespace doesn’t support HTTP Public Key Pinning (HPKP).

Do I need to create a CSR to use SSL with Squarespace?

No. Squarespace automatically generates an SSL certificate for any domain correctly connected to your site. There’s no need to use a Certificate Signing Request (CSR) to generate the certificate.

Can I enable SSL on my Squarespace 5 site?

No. Squarespace only enables SSL for custom domains on Squarespace 7 sites.

Can I disable SSL?

It’s not possible to remove SSL certificates for your custom domains, as this keeps your site secure and ensures the best experience for your visitors. However, you can choose the Insecure option for your site, which still allows traffic over the standard HTTP connection.

Was this article helpful?
111 out of 214 found this helpful