Troubleshooting website security issues

Websites are either served on HTTP or HTTPS. HTTPS also know as "HTTP over TLS" is recognized as the secure protocol.

Most browsers state if a site is secure — loaded over HTTPS — with a lock icon next to the website's address in the URL bar. Some browsers also state non-secure sites. Not secure errors are usually shown for pages that contain password and credit card input fields.

To learn more about your site's security, you can click the icon/label that appears next to your site's URL in the address bar.

Here's how security information shows on a Chrome browser.

For various security and privacy reason your browser may not be able to load your site. In such cases, you'll see an error page titled "Your connection is not private" or "This Connection is Untrusted". Visit expired.badssl.com to test how your browser responds to SSL errors.

Helpful resources

Secure your site

Whichever browser you or your site visitors are using, you'll want to make sure that your site is secure. You don't want to greet your visitors with security warnings. With Webflow SSL, you're good to go! Plus, Google rewards sites served on HTTPS with a small rankings boost in search results.

Enable SSL

Check that SSL is enabled on your Webflow-hosted site: go to project settings → hosting → advanced publishing options and make sure SSL is enabled. If it's not, enable it and save the changes. SSL is free. Make sure to update your DNS to point to our secure servers. To make sure you don't miss a step, follow the guide called Connecting a custom domain guide starting at step 2.

After following all the steps to set up SSL hosting on your site, visit your site in any browser. It should load with an https:// prefix OR with no security warning. You could also see a lock icon in the URL bar indicating that your site is secure. Clicking this icon, will provide more information about the site's security.

Staring 14 November 2018, SSL will be enabled by default on all new projects.
Must know
Webflow will automatically set a 301 redirect for your domain's http:// URL and send anyone visiting an old link to the new https:// version.
Webflow will also automatically renew your certificate for free as long as your have an active Webflow SSL hosting.

Tell Google your site was moved

Now that you've enabled SSL and publish your site to your new HTTPS URL, Google needs to know that your site was moved:

  1. Add the HTTPS property to your Search Console. Google Console treats HTTP and HTTPS as separate sites. You can keep both the HTTP and HTTPS websites in Google Search Console. Just make sure to set your default domain with the https:// prefix as  your preferred domain
  2. Resubmit your sitemap to Google
  3. Update the protocol of your website in Google Analytics from HTTP to HTTPS

Troubleshoot security issues

If you see errors and warnings instead of the secure site indicator, troubleshoot following the steps below.

Your site doesn't load correctly after enabling SSL

Usaully, SSL cerificates are generated within seconds of enabling SSL and publishing your site. However, sometimes it may take longer (around an hour or two). To ensure that there are no other issues with your SSL setup, first:

  1. check that SSL is indeed enabled in project settings → hosting → custom domains
  2. check that your DNS settings are correctly pointing your domain to Webflow's secure servers
  3. publish your site again
  4. clear your browsing cache
  5. check your site in incognito mode

After following these steps, if you're still experiencing issues, contact support.

You're getting a "Too many redirects" or "Redirect Loop" error

When you enable SSL, your domain will be redirected to https://www.yourdomain.com if your root domain (the one without www) doesn't have a CNAME record associated to it in your DNS settings. That's why we recommend that you set the www version of your domain as the default domain in your project settings → hosting → custom domain settings. Read more about setting the root domain as the default domain on SSL hosting.

So, if you've set the root domain as the default domain, your site will try to redirect to the root domain while the SSL setting is redirecting it to the www version. This is why you'll see the error code: ERR_TOO_MANY_REDIRECTS and additional www.www. prefixes in the URL bar. To fix this issue, go to project settings → hosting → custom domain and set the www version of your domain as the default domain. Publish your site and clear the browsing cache before visiting your site.

Some content on your site doesn't load

Sometimes, in Chrome, you'll see the an info icon ⓘ instead of the secure lock. Clicking this icon will provide explanation about the error. Usually, it will say that "your connection to this site is not secure". This happens when you have mixed content on your site or that specific page you're browsing. 

Mixed content means that your site's code contains http URLs. They can be in links, custom code, or any other link field in your site. When there's mixed content like this on a page, the not secure label will show for those URLs. Browsers may not load content served on http://.

Let's find these links!

You can find out what and where the mixed content is by accessing the console of your browser. Shortcut: Command+Option+J (Mac) or Control+Shift+J (Windows). The message in the console will identify the http URL and might inform you if it's in a form or somewhere else. Visit mixed.badssl.com and access the console to see an example of this error.

All you need to do is replace the http URL with the https version if i exists. Most URLs will have https equivalents. So, replacing the prefix (http →  https) will fix your issue. However, some code or images might not be hosted on secure sites. You'll need to find or host them on secure external hosts.

Make sure your custom code won't create any security vulnerabilities. Unsecured code could expose sensitive customer information!
Having unsecure code on your site can also expose sensitive customer information! Make sure your custom code won't create any security vulnerabilities.
Best practice — Use HTTPS everywhere

Always make sure to use URLs that start with https:// whenever you paste URL links in your:

Need to know
Webflow hosts all your assets on a secure host.
Previously, you were able to paste images into rich text elements and rich text fields. If you have such content on your site, make sure to upload the images in the rich text editor. We'll host them with our secure host.

Your site doesn't load and says your connection is not private

If your site isn't loading and instea the browser says "your connection is not private" or "This Connection is Untrusted":

  1. Make sure SSL is enabled and your DNS is correct
  2. Publish your site again
  3. Test in incognito mode
  4. If it loads in incognito mode, clear your browsers cache.
  5. If it still doesn't load, follow this guide by Google.
  6. If all fails, contact Webflow support.