Squarespace offers free SSL certificates for all Squarespace Domains and third-party domains connected and pointing to a Squarespace site. With SSL enabled automatically, your visitors can access a constant, secure connection on every page of your site. Through SSL, your visitors see a lock icon next to your URL in the browser, showing that their information is safe.
Use the Security & SSL panel to customize your settings, and follow this guide to learn how to ensure a secure connection throughout your site.
Tip: If you use a third-party SSL provider, like CloudFlare, you can switch to Squarespace's certificate. See the FAQ below for details.
Note: We don’t offer the ability to install custom SSL certificates at this time.
What is SSL?
Secure Sockets Layer, or SSL, is a technology that secures the connection between your browser and the website you’re visiting. To verify that SSL is protecting a page, look for a URL beginning with https://, instead of http://, and a green, closed padlock icon. This allows visitors to navigate the website and submit information through a secure connection.
SSL provides three important security benefits:
- Privacy: Encrypts the connection between the browser and web server and securely transmits information (like login credentials) to prevent unauthorized parties from eavesdropping.
- Data integrity: Prevents unauthorized parties from altering data during transmission (like during a Form Block submission).
- Authentication: Protects against impersonation by requiring web server proof of identity.
Enabling SSL may help your site load faster, as Squarespace uses HTTP/2 for SSL-enabled sites. It may also help more visitors find your site: in 2014, Google announced that SSL-secured websites would potentially enjoy a rankings boost in their search results.
How Squarespace uses SSL
If you have custom domains linked and pointed to your Squarespace site, we automatically generate an SSL certificate for your site. This allows visitors to view your site over an HTTPS connection. This is automatically included for Squarespace Domains and third-party domains. We use 2048 bit SSL encryption on all pages except checkout pages.
If you’re using a third-party domain, ensure that it’s correctly connected and pointing to your site to allow a secure SSL connection. Specifically, confirm that you’re using our required CNAME records and A records and that the domain points to Squarespace.
When your site loads with SSL protection enabled, you’ll see a lock icon and https:// next to the URL in the browser bar:
Your site includes two SSL-related security settings, depending on what you need:
- Secure (Preferred) - All visitors are redirected to HTTPS, even if they entered the HTTP version in their browser. Sitemaps contain HTTPS links and search engines index the HTTPS version. Unsupported browsers can’t load your site.
- Insecure - Visitors can access your site over both the standard connection (HTTP) and SSL secure connection (HTTPS). Sitemaps contain HTTP links and search engines index the HTTP version.
Note: RSS feeds always use HTTP links instead of HTTPS, even when the Secure setting is enabled. This helps keep your feed visible to feed readers and other services.
Choose a setting in the Security & SSL panel:
- From the Home Menu, click Settings.
- Under Website, click Security & SSL.
- Under Security Preference, choose a setting.
Note: If you're using a parking page, click Security & SSL in the main parking page menu, then choose a setting.
After enabling a security preference, your site can take up to 72 hours to process the update.
Using HSTS Secure
When you’re using the Secure SSL setting, you can also enable HSTS Secure for an added layer of security. Enabling HSTS Secure ensures the connection is encrypted and prevents potential attackers from accessing or impersonating your site. If you think of a visit like a letter being sent from the visitor’s browser to your site, HSTS certifies that letter and ensures that only the correct recipient can open it.
When a visitor first loads your HSTS-enabled site, their browser remembers the secure version of the URL for future access. The next time they visit your site, their browser will load this secure, HTTPS version. As long as they continue to access your site from the same browser, they’ll always access the HTTPS version of your site, even if they switch to a different network. Your visitors won’t notice anything different on your site, except that the URL in their browser will always start with https://.
If you’re using the Secure setting for your site, we recommend keeping HSTS Secure enabled as well. However, you may want to switch to the Insecure setting if your visitors need access over HTTP or your site uses a lot of mixed content.
Note: If you need to switch to the Insecure setting, ensure that the domain’s SSL certificate is valid. Certificates with errors may also cause browser errors for your visitors.
Some older browsers don’t support the high security standards required by our SSL certificates.
Unsupported browsers include:
- All versions of Internet Explorer on Windows XP
- Internet Explorer versions older than 7
- Firefox versions older than 2.0
- Safari versions older than 2.1
- Any Google Chrome version older than 6
Unsupported mobile browsers include:
- All versions of Safari running iOS older than 4.0
- Any Android browser running on a version older than 3.0 (Honeycomb)
- Any Windows Phone browser running on a version older than 7
Visitors loading your site on these browsers may have trouble loading the secure, HTTPS version of your site. In some cases, they might not be able to load it at all.
To avoid these issues, we recommend using a supported browser to visit or edit any Squarespace site.
Some pages on your site may have mixed content, meaning that the page loads over a secure HTTPS connection, but integrated content or third-party customizations load over an insecure HTTP connection. Mixed content on your website degrades HTTPS site security.
If you choose the Secure SSL setting for your site, your browser may display a warning when it loads mixed content. To avoid this, you can use the Insecure SSL setting, or experiment with other blocks that support your content securely.
SSL and Commerce
If you sell products with Squarespace Commerce, your checkout page is protected by SSL to keep your customers’ credit card data safe and secure. On checkout pages, we’re Level 1 PCI compliant and use 128 bit SSL encryption.
When a customer checks out on your store, they’ll see a lock icon in their browser. If your site is on the Commerce Advanced plan and you have the Secure SSL setting enabled, they’ll also see your custom domain in the checkout URL. To learn more, visit Checkout on Your Domain.
Note: If your site is using the Insecure setting, your URL will start with https://secure.squarespace.com, even if the site is on the Commerce Advanced plan. The checkout page is still secure for your customers, but it won’t support your custom domain.
Certificate status errors
If we have trouble generating a certificate for your domain, you'll see an error message in your Security & SSL panel.
Blue: In progress
If the message has a blue !, we're still processing the SSL certificate. New domains may take up to 72 hours to fully connect and generate the certificate, so in most cases, it just needs more time.
You'll usually see this if you very recently:
- Registered a Squarespace Domain
- Transferred a domain to Squarespace
- Connected a third-party domain
You can try refreshing the certificate to see if it helps. Opening its DNS settings automatically refreshes the status:
- If you're using a Squarespace Domain, click the domain in the Domains panel, then click Advanced Settings.
- If you're using a third-party domain, click the domain in the Domains panel, then click DNS Settings.
If the status doesn't change after refreshing, it still needs more time to generate.
Red: There's an issue to resolve
If the error message has a red !, we couldn’t generate an SSL certificate for the listed domains. This usually happens when the domain isn’t properly pointing to your site.
- If you’re using a Squarespace Domain, ensure that your default records are intact.
- If you connected a third-party domain, double check your domain-mapping records to ensure your domain has the correct A records to work with Squarespace.
Which setting should I use?
The best setting for your site depends on your site’s content and the type of visitors you anticipate. Most users will benefit from Secure with HSTS enabled, which provides a secure connection to all supported browsers.
Do I need a Squarespace Domain to use SSL?
No. SSL is available for any Squarespace Domains and third-party domains connected to your site. If you have a third-party domain, ensure that the domain is properly connected to your site by confirming your CNAME records and A records.
Can I use a custom certificate?
It isn’t currently possible to install a custom SSL certificate on a Squarespace site.
Will SSL work for subdomains?
Yes. Squarespace generates a certificate for each custom domain and subdomain connected to your website, whether it’s a Squarespace Domain or hosted by a third party. This also true for the "www" version of your domain, if you're using it separately from your naked domain.
If you have a third-party domain, ensure that it’s connected in your site’s Domains panel and not forwarded from another location.
Will SSL work on mobile browsers?
Yes. Your site is still protected by SSL as long as your visitors are using a supported browser.
Will SSL slow down my site?
You may notice a slight difference in site load time over HTTPS, as the secure connection takes time to authenticate the certificate and validate the site. In most cases, the difference is only a few seconds.
If you’re noticing a big difference in load time, use our troubleshooting steps to rule out other possible site issues, like content-heavy pages or custom code integrations.
I see a certificate error for my third-party domain, but my DNS settings are correct.
If you're seeing an error for your third-party domain, but you've already checked your records, we might not be able to issue a certificate because of a problem with your domain provider. To fix this, we recommend one of the following options:
I see a browser warning when I visit my domain.
If you've enabled the Secure setting in your Security & SSL panel, you may still see a privacy warning when you visit your domain. Depending on your browser, the message may be "Your connection is not private, "Your connection is not secure," or something similar. This happens when your browser detects insecure content on the page.
I’m using a third-party SSL provider for my site. Should I disable it?
If you’re using an external provider for SSL, like CloudFlare, you can disable this and use Squarespace’s automatic SSL protection for custom domains. However, note that Squarespace can’t generate a certificate for your domain until you point your domain to our servers. Your site’s existing HTTPS traffic will be unavailable while your DNS changes propagate and Squarespace generates the certificate. During this time, you may see a certificate error in your Security & SSL panel.
Will my custom domain appear during Commerce checkout?
Yes. If your site is on the Commerce Advanced plan and using the Secure SSL setting, your customers will see your custom domain during checking. If you’re using the Insecure setting, they’ll see a URL beginning with https://secure.squarespace.com… instead.
Do SSL-enabled sites support HPKP?
No. Squarespace doesn’t support HTTP Public Key Pinning (HPKP).
Do I need to create a CSR to use SSL with Squarespace?
No. Squarespace automatically generates an SSL certificate for any domain correctly connected to your site. There’s no need to use a Certificate Signing Request (CSR) to generate the certificate.
Can I enable SSL on my Squarespace 5 site?
No. Squarespace only enables SSL for custom domains on Squarespace 7 sites.
Can I disable SSL?
It’s not possible to remove SSL certificates for your custom domains, as this keeps your site secure and ensures the best experience for your visitors. However, you can choose the Insecure option for your site, which still allows traffic over the standard HTTP connection.