All domains connected to Squarespace are protected with free SSL certificates. With SSL enabled, your visitors can access a constant, secure connection on every page. SSL prevents hackers from impersonating your site or stealing information that customers submit, like an email address or a credit card number.
SSL certificates are automatically included for:
- Squarespace Domains (registered or transferred to Squarespace)
- Connected third-party domains
- Built-in domains
This guide explains how to enable SSL and customize your settings.
Watch a video
What is SSL?
Secure Sockets Layer, or SSL, is a technology that secures the connection between your browser and the website you’re visiting. All modern desktop and mobile browsers support SSL. To check if SSL is protecting a page, look for a URL beginning with https:// and a closed padlock icon next to the URL.
SSL protection has many benefits, including:
- Creates trust with visitors by showing their information is secure and encrypted on your site.
- Prevents hackers from stealing data visitors submit through your site's forms and checkout page, including personal information.
- May help your site load faster.
- Helps with SEO.
Before you begin
- It isn’t possible to install custom SSL certificates. To learn more, see Third-party SSL providers.
- If you’re using a third-party domain, it needs to be correctly connected and pointed to your site for SSL to work. To check if there's an issue preventing SSL for your third-party domain, review your DNS records in Squarespace. If Deprecated appears in the Current Records column, update the CNAME and A records to match our requirements.
- If you're using a Squarespace Domain, it must point to a Squarespace site for an SSL certificate to be generated by Squarespace. If your domain is pointing away from Squarespace, contact your website host about an SSL certificate.
- You don't need a Certificate Signing Request (CSR) to get an SSL certificate, since we issue certificates automatically.
- To keep your feed visible to feed readers and other services, RSS feeds always use HTTP instead of HTTPS, even when Secure is enabled.
- With any SSL setting, your site login password is always encrypted, and you're automatically redirected to a secure session to modify sensitive account information.
- SSL is also included in Squarespace 5. To learn more, visit Squarespace 5 and SSL.
Choose SSL settings
Since SSL is enabled automatically, you don't need to do anything else to set it up. However, you may need to customize it further depending on what you need.
To choose an SSL setting:
- In the Home Menu, click Settings, then click Advanced. (For parking pages, click SSL in the main menu.)
- Click SSL.
- Under Security Preference, choose your settings. In most cases, we recommend checking Secure and HSTS Secure. However, special situations might need the Insecure option. For help, see SSL settings explained below.
- Click Save.
- It can take up to 72 hours for the update to complete. For third-party domains that aren't connected yet, it may take a bit longer.
- While the certificate is processing, you may see an error message with a red ! in your domain settings. This is normal. If you still see the error message after 72 hours and after refreshing the page, follow our troubleshooting steps.
SSL settings explained
Secure (Preferred) is the default setting for domains connected or registered with Squarespace since October 2016. This is the setting most sites need, along with HSTS enabled. Some domain providers and TLDs require it.
- Visitors are always redirected to HTTPS after the certificate is issued, even if they entered HTTP in their browser.
- Sitemaps include HTTPS links.
- Search engines index the HTTPS version, which is good for SEO.
- Your site won't load in browsers that don't support SSL.
If your site includes a lot of custom code or embedded third-party integrations, you may want to check Insecure to let visitors load your site over HTTP. Domains registered or connected before October 2016 are set to Insecure.
If you check Insecure, ensure the domain’s SSL certificate is valid.
- Visitors can access your site over both HTTP and HTTPS.
- Sitemaps include HTTP links.
- Search engines index the HTTP version.
If you’re using the Secure setting, we recommend keeping HSTS Secure enabled. HSTS Secure ensures the connection is encrypted and prevents potential attackers from accessing or impersonating your site.
When someone visits your HSTS-enabled site, their browser automatically loads the secure, HTTPS version of the URL on every visit. As long as that visitor continues to access your site from the same browser, they’ll always access the HTTPS version of your site, even if they switch to a different network. Without HSTS enabled, visitors can access the secure version of your site, but their browser will request the SSL certificate at every visit, rather than remembering it.
Note: Disabling HSTS or switching to the Insecure setting can temporarily prevent access to your site. Anyone who visited while HSTS was enabled will be blocked from your site until their HSTS policy for the site expires, which can take up to 72 hours.
SSL and Commerce
Your checkout page is protected by SSL to protect credit card information. Checkout pages are also Level 1 PCI compliant and use 128 bit SSL encryption. The checkout page is always secure, even if your site is using the Insecure SSL setting.
If your site is on the Commerce Basic or Advanced plan and Secure is checked, visitors will see your custom domain in the checkout URL.
Custom code and SSL warnings (mixed content)
Some pages on your site may have mixed content, meaning the page loads over a secure HTTPS connection, but some content loads over an insecure HTTP connection. Insecure content can come from:
If you choose the Secure setting, visitors may see browser warnings when they load mixed content from your site. To avoid this, use the Insecure SSL setting. Alternatively, you can consider removing custom code you don't need.
View an SSL certificate
You can view a domain's SSL details within most browsers, which can include information like the issuing certificate authority and how long the certificate is valid. To learn how to check if a site's connection is secure, visit your browser's documentation:
Here are some technical details about our SSL certificates:
- Let's Encrypt is our certificate authority partner for providing SSL certificates.
- 2048-bit SSL encryption on all pages except checkout.
- TLS version 1.2 for all HTTPS connections.
- HTTP Public Key Pinning (HPKP) isn't currently supported.
Third-party SSL providers
We don't support installing third-party SSL certificates. If you use another SSL provider, like CloudFlare, you can switch to Squarespace's certificate.
To use Squarespace's SSL, disconnect your domain from your SSL provider and connect it from your domain provider or transfer it to Squarespace. After the domain is fully connected and using Squarespace DNS records, we'll generate a certificate.
Can I disable SSL?
It’s not possible to remove SSL certificates because they keep your site secure and ensure the best experience for your visitors. However, you can choose the Insecure setting so visitors can still use the HTTP version, even with SSL enabled.
Will SSL slow down my site?
It can take a few extra seconds to authenticate a certificate and validate a site using the Secure setting. If you notice a big difference in load time, use our troubleshooting steps to rule out other reasons your site might be loading slowly.
Does SSL work for subdomains?
Yes. Squarespace generates a certificate for each custom domain and subdomain connected to your website. This also true for the "www" version of your domain, if you're using it separately from your naked domain.
If you have a third-party domain, ensure that it’s connected in your site’s Domains panel and not forwarded or pointed to another location.
To learn more about certificate errors and other SSL-related warnings you might see on your site, visit Troubleshooting SSL.