Important information about SSL and steps to edit SSL settings to meet your security needs.
All domains correctly added to your Squarespace site are automatically protected with free SSL certificates to improve security. SSL secures connections and prevents hackers from impersonating you or stealing visitors' information.
This guide explains how to select SSL settings based on what you need and other important information to know about your SSL certificate. If you're seeing a warning about your site's security, try these troubleshooting steps.
Watch a video
What you'll need
SSL certificates are automatically included for:
- Squarespace domains (registered or transferred to Squarespace)
- Connected third-party domains
- Built-in domains
If there's something wrong with your domain connection, SSL certificates won't work. To ensure your domain is eligible for an SSL certificate:
- If you’re using a third-party domain, it needs to be connected correctly. To check if there's an issue preventing SSL for your domain, review your DNS records in Squarespace.
- If you're using a Squarespace domain, it must point to a Squarespace site. If your domain or subdomain is pointing away from Squarespace, contact your website host about an SSL certificate instead.
Domain names must be 63 characters or less to receive an SSL certificate.
Choose SSL settings
SSL is automatically enabled, you don't need to do anything to set it up. If you have more complex security needs, you may need to change other settings.
To choose an SSL setting:
- Open the Developer tools panel. (For parking pages, click SSL in the main menu.)
- Click SSL.
- Under Security preference, choose your settings. Usually, we recommend checking Secure and HSTS secure. Some special situations might need the Insecure option. For help, see SSL settings explained.
- Click Save.
- It can take up to 72 hours for the update to complete. For third-party domains that aren't connected yet, it may take a bit longer.
- While the certificate is processing, you may find an error message in your domain settings. This is normal. If it's been more than 72 hours, follow these troubleshooting steps.
SSL settings explained
Secure (Preferred) is the default setting that most sites need, along with HSTS enabled. Some domain providers and TLDs require it.
- Visitors are always redirected to HTTPS after the certificate is issued, even if they entered HTTP in their browser.
- Sitemaps include HTTPS links.
- Search engines index the HTTPS version, which is good for SEO.
- Your site won't load in browsers that don't support SSL.
If your site has a lot of custom code or third-party embeds, you may want to check Insecure. This allows visitors to load your site over HTTP. Domains registered or connected before October 2016 are set to Insecure.
If you check Insecure, ensure the domain’s SSL certificate is valid.
- Visitors can access your site over both HTTP and HTTPS.
- Sitemaps include HTTP links.
- Search engines index the HTTP version.
If you’re using the Secure setting, we recommend keeping HSTS Secure enabled. HSTS Secure encrypts the connection and prevents potential attackers from accessing or impersonating your site.
Note: Disabling HSTS or switching to the Insecure setting can temporarily prevent access to your site. Anyone who visited while HSTS was enabled will be blocked from your site until their HSTS policy for the site expires, which can take up to 72 hours.
SSL and commerce checkout
Your checkout page is protected by SSL to protect credit card information. Checkout pages are also Level 1 PCI compliant and use 128 bit SSL encryption. The checkout page is always secure, even if your site is using the Insecure SSL setting.
If your site is on the Commerce Basic or Advanced plan and Secure is checked, visitors will see your custom domain in the checkout URL.
Custom code and SSL warnings (mixed content)
Some pages on your site may have mixed content, meaning the page loads over a secure HTTPS connection, but some content loads over an insecure HTTP connection. Insecure content can come from:
If you choose the Secure setting, visitors may find browser warnings when they load mixed content from your site. To avoid this, use the Insecure SSL setting. You can also consider removing custom code you don't need.
Check a site's SSL certificate
To check if SSL is protecting a page, look for a URL beginning with https:// and a closed padlock icon next to it.
You can view a domain's SSL details in most browsers, which can include information like the issuing certificate authority and how long the certificate is valid. To learn how to check if a site's connection is secure, visit your browser's documentation:
Here are some technical details about our SSL certificates:
- Let's Encrypt is our certificate authority partner for providing SSL certificates.
- 2048-bit SSL encryption on all pages except checkout.
- TLS version 1.2 for all HTTPS connections.
- HTTP Public Key Pinning (HPKP) isn't currently supported.
- You don't need a Certificate Signing Request (CSR) to get an SSL certificate, we issue certificates automatically.
Third-party SSL providers
We don't support installing third-party SSL certificates. If you use another SSL provider, like CloudFlare, you can switch to Squarespace's certificate.
To use Squarespace's SSL, disconnect your domain from your SSL provider and connect it from your domain provider or transfer it to Squarespace. After the domain is fully connected and using Squarespace DNS records, we'll generate a certificate.
Your site’s existing HTTPS traffic will be unavailable while your DNS changes process and we generate the certificate. During this time, you may see a certificate error in your SSL panel.
What is SSL?
SSL (Secure Sockets Layer), is a technology that secures the connection between your browser and the website you’re visiting. All modern computer and mobile browsers support SSL. Websites using SSL will have URLs beginning with https://.
What are the benefits of SSL?
SSL protection has many benefits, including:
- Creates trust with visitors by showing their information is secure and encrypted on your site.
- Prevents hackers from stealing data visitors submit through your site's forms and checkout page, including personal information.
- May help your site load faster.
- Helps with SEO.
Can I disable SSL?
It’s not possible to remove SSL certificates because they keep your site secure and ensure the best experience for your visitors. However, you can choose the Insecure setting so visitors can still use the HTTP version, even with SSL enabled.
Does SSL slow down my site?
It can take a few extra seconds to authenticate a certificate and validate a site using the Secure setting. If you notice a big difference in load time, use our troubleshooting steps to rule out other reasons your site might be loading slowly.
Does SSL work for subdomains?
Yes. Squarespace generates a certificate for each custom domain and subdomain connected to your website. This is also true for the "www" version of your domain, if you're using it separately from your naked domain.
If you're using your subdomain as your site's primary domain, uncheck Use WWW Prefix to prevent certificate errors.
If you have a third-party domain, ensure that it’s connected in your site’s Domains panel and not forwarded or pointed to another location.
Do I need to set my SSL to "Secure" to keep my account details private?
No. With any SSL setting, your site login password is always encrypted, and you're automatically redirected to a secure session to modify sensitive account information.
Does Squarespace 5 include SSL?
SSL is included in Squarespace 5. To learn more, visit Squarespace 5 and SSL.
To learn more about certificate errors and other SSL-related warnings you might find on your site, visit Troubleshooting SSL.