You can enable SSL certificates for custom domains connected to Squarespace 5 sites, and for built-in domains. With SSL enabled, your visitors can access a constant, secure connection on every page. They'll see a lock icon next to your URL in the browser, showing that their information is safe.
This guide explains how to enable SSL and customize your settings in Website Settings. With any setting, your site login password is always encrypted, and you're automatically redirected to a secure session to modify sensitive account information.
Tip: We added the option for site-wide SSL in April 2019.
What is SSL?
Secure Sockets Layer, or SSL, is used to encrypt information transferred throughout the Internet. SSL allows visitors to navigate a website and submit information through a secure connection.
Before you begin
- Before enabling SSL for a custom domain, ensure it's correctly connected to your site and using the most current CNAME and A records.
- Installing third-party custom SSL certificates isn't supported for Squarespace 5.
- If you're collecting money through a third-party service, contact your service provider for information about their payment processing security.
- The Login Prompt widget is only available on the Basic Security setting.
Enable or disable SSL
To access SSL settings:
- In the Website Management bar, click Website Settings under Structure.
- Click Security.
- In the Traffic Encryption drop-down menu, choose an encryption setting.
- To enable the encryption setting, log out of your account and log in again.
There are three options:
- Basic Security - Only billing and password transactions are encrypted with SSL.
- Strong Security - Only billing, password transactions, and member login and administrative areas are encrypted with SSL.
- High Security - All traffic to your site is encrypted with SSL.
In most cases, we recommend High Security.
Tip: Logging into your site is always protected by SSL.
Some pages on your site may have mixed content, meaning the page loads over a secure HTTPS connection, but some content loads over an insecure HTTP connection. Insecure content can come from:
- Third-party customizations
- Custom code
- Direct URL links to pages on your site
- Images you've added with direct URLs that link to file storage.
Since mixed content on your website degrades HTTPS site security, if you choose the High Security setting, visitors may see a browser warning when they load mixed content from your site. To avoid this, switch to other pages or widgets that support your content securely. For example, you can:
- Link to pages on your site with the Your Website option.
- Add images from file storage with the Your Images option.
These create internal links that update automatically to work with the URL your visitors are using.
"Not Secure" messages
If you see security or privacy browser warnings when visiting your site, we recommend you enable SSL (High Security setting).
If you don't have SSL enabled, your site is just as secure as it's always been, but browsers now prefer site-wide SSL. For this reason, they label pages without SSL as insecure, or give other security warnings.
If you haven't enabled SSL, there are ways to avoid these messages:
- When logged out and visiting your site, start the URL for your custom domain with http:// instead of https://
- Always use the direct URL to log in.
- Disable SSL for your site member areas (use the Basic security setting).
Here's an example of a security warning in a browser bar:
You may also see security certificate errors, which block you from seeing a page. These errors occur because the SSL certificate is provided for Squarespace.com, rather than your custom domain. They're warning that you may be contacting a host other than the one you intend, but unless you run a very high-risk domain, this is not happening to you.
Your site may display security certificate errors if:
- You're visiting your custom domain and starting the URL with https:// instead of http://
- You're accessing your billing information from a custom domain.
- A site member is resetting their password.
Here's an example:
Processing Request error
If you see an error message that says "To use this encryption, change your site's DNS for all domains in Website Settings > Custom Domains," your site's custom domain isn't up to date with our current DNS records. Update your DNS settings to enable High Security.
If you've updated your DNS records and you're still seeing this error message, try resetting your domain connection:
- Click Website Management, then click Custom Domains under Structure.
- Click your Squarespace-managed domain to expand the options for that domain.
- In the Domain Linking section, switch the ON toggle to OFF. Wait a few moments, then switch the toggle back to ON.
- Return to your Security settings and try enabling SSL again.
Here are some technical details about our SSL certificates:
- Let's Encrypt is our certificate authority partner for providing SSL certificates.
- 2048-bit SSL encryption on all pages.
- TLS version 1.2 for all HTTPS connections.
- HTTP Public Key Pinning (HPKP) isn't currently supported.