Important information about SSL and steps to edit SSL settings to meet your security needs.
All domains correctly added to your Squarespace site are automatically protected with free SSL certificates to improve security. SSL secures connections and prevents hackers from impersonating you or stealing visitors' information.
This guide explains how to select SSL settings based on what you need and other important information to know about your SSL certificate. If you're seeing a warning about your site's security, try these troubleshooting steps.
Watch a video
What you'll need
SSL certificates are automatically included for:
- Squarespace domains (registered or transferred to Squarespace)
- Connected third-party domains
- Built-in domains
If there's something wrong with your domain connection, SSL certificates won't work. To ensure your domain is eligible for an SSL certificate:
- If you’re using a third-party domain, it needs to be connected correctly. To check if there's an issue preventing SSL for your domain, review your DNS records in Squarespace.
- If you're using a Squarespace domain, it must point to a Squarespace site. If your domain or subdomain is pointing away from Squarespace, contact your website host about an SSL certificate instead.
Domain names must be 63 characters or less to receive an SSL certificate.
Choose SSL settings
SSL is automatically enabled. You don't need to do anything to set it up. If you have more complex security needs, you may need to change other settings.
To choose an SSL setting:
- Open the Developer tools panel. (For parking pages, click SSL in the main menu.)
- Click SSL.
- Under Security preference, choose your settings. Usually, we recommend checking Secure and HSTS secure. Some special situations might need the Insecure option. For help, see SSL settings explained.
- Click Save.
- It can take up to 72 hours for the update to complete. For third-party domains that aren't connected yet, it may take a bit longer.
- While the certificate is processing, you may find an error message in your domain settings. This is normal. If it's been more than 72 hours, follow these troubleshooting steps.
SSL settings explained
Secure (Preferred) is the default setting that most sites need, along with HSTS enabled. Some domain providers and TLDs require it.
- Visitors are always redirected to HTTPS after the certificate is issued, even if they entered HTTP in their browser.
- Sitemaps include HTTPS links.
- Search engines index the HTTPS version, which is good for SEO.
- Your site won't load in browsers that don't support SSL.
If you’re using the Secure setting, we recommend keeping HSTS Secure enabled. HSTS Secure encrypts the connection and prevents potential attackers from accessing or impersonating your site. We recommend having your site Secure with HSTS Secure enabled on your site because it ensures your site loads securely. Having an HSTS Secure site also prevents error messages from loading, such as “Your connection is not private”.
Domains registered or connected before October 2016 are set to Insecure. If you decide to keep your site Insecure, ensure the domain’s SSL certificate is valid. Insecure means:
- Visitors can access your site over both HTTP and HTTPS.
- Sitemaps include HTTP links.
- Search engines index the HTTP version.
Disabling HSTS or switching to the Insecure setting can temporarily prevent access to your site. Anyone who visited while HSTS was enabled will be blocked from your site until their HSTS policy for the site expires, which can take up to 72 hours.
SSL and commerce checkout
Your checkout page is protected by SSL to protect credit card information. Checkout pages are also Level 1 PCI compliant and use 128 bit SSL encryption. The checkout page is always secure, even if your site is using the Insecure SSL setting.
If your site is on the Commerce Basic or Advanced plan and Secure is checked, visitors will see your custom domain in the checkout URL.
Custom code and SSL warnings (mixed content)
Some pages on your site may have mixed content, meaning the page loads over a secure HTTPS connection, but some content loads over an insecure HTTP connection. Insecure content can come from mixed content such as:
If you choose the Secure setting, visitors may find browser warnings when they load mixed content from your site. To avoid this, edit your mixed content to fix error messages and loading issues.
Note: Custom code and mixed content modifications fall outside the scope of our support. This means that we’re unable to help further with setup or troubleshooting. Additionally, with a code-based solution, we can’t guarantee its functionality or full compatibility with Squarespace. This includes how it functions with our responsive design, particularly its appearance on mobile devices, and if it functions on all templates. Custom code can also cause display issues with future updates to our platform. While we can't help further, there are many resources that can point you in the right direction:
Check a site's SSL certificate
To check if SSL is protecting a page, look for a URL beginning with https:// and a closed padlock icon next to it.
You can view a domain's SSL details in most browsers, which can include information like the issuing certificate authority and how long the certificate is valid. To learn how to check if a site's connection is secure, visit your browser's documentation:
Here are some technical details about our SSL certificates:
- Let's Encrypt is our certificate authority partner for providing SSL certificates.
- 2048-bit SSL encryption on all pages except checkout.
- TLS version 1.2 for all HTTPS connections.
- HTTP Public Key Pinning (HPKP) isn't currently supported.
- You don't need a Certificate Signing Request (CSR) to get an SSL certificate, we issue certificates automatically.
Third-party SSL providers
We don't support installing third-party SSL certificates. If you use another SSL provider, like CloudFlare, you can switch to Squarespace's certificate.
To use Squarespace's SSL, disconnect your domain from your SSL provider and connect it from your domain provider or transfer it to Squarespace. After the domain is fully connected and using Squarespace DNS records, we'll generate a certificate.
What is SSL?
SSL (Secure Sockets Layer), is a technology that secures the connection between your browser and the website you’re visiting. All modern computer and mobile browsers support SSL. Websites using SSL will have URLs beginning with https://.
What are the benefits of SSL?
SSL protection has many benefits, including:
- Creates trust with visitors by showing their information is secure and encrypted on your site.
- Prevents hackers from stealing data visitors submit through your site's forms and checkout page, including personal information.
- May help your site load faster.
- Helps with SEO.
Can I disable SSL?
It’s not possible to remove SSL certificates because they keep your site secure and ensure the best experience for your visitors. However, you can choose the Insecure setting so visitors can still use the HTTP version, even with SSL enabled.
Does SSL slow down my site?
It can take a few extra seconds to authenticate a certificate and validate a site using the Secure setting. If you notice a big difference in load time, use our troubleshooting steps to rule out other reasons your site might be loading slowly.
Does SSL work for subdomains?
Yes. Squarespace generates a certificate for each custom domain and subdomain connected to your website. This is also true for the "www" version of your domain, if you're using it separately from your naked domain.
If you have a third-party domain, ensure that it’s connected in your site’s Domains panel and not forwarded or pointed to another location.
Do I need to set my SSL to "Secure" to keep my account details private?
No. With any SSL setting, your site login password is always encrypted, and you're automatically redirected to a secure session to modify sensitive account information.
Does Squarespace 5 include SSL?
SSL is included in Squarespace 5. To learn more, visit Squarespace 5 and SSL.
To learn more about certificate errors and other SSL-related warnings you might find on your site, visit Troubleshooting SSL.