Troubleshoot security issues on your website or your webpage.
Websites are either served on HTTP or HTTPS. HTTPS also know as "HTTP over TLS" is recognized as the secure protocol.
Most browsers state if a site is secure — loaded over HTTPS — with a lock icon next to the website's address in the URL bar. Some browsers also state non-secure sites. Not secure errors are usually shown for pages that contain password and credit card input fields.
To learn more about your site's security, you can click the icon/label that appears next to your site's URL in the address bar.
For various security and privacy reason your browser may not be able to load your site. In such cases, you'll see an error page titled "Your connection is not private" or "This Connection is Untrusted". Visit expired.badssl.com to test how your browser responds to SSL errors.
Whichever browser you or your site visitors are using, you'll want to make sure that your site is secure. You don't want to greet your visitors with security warnings. With Webflow SSL, you're good to go! Plus, Google rewards sites served on HTTPS with a small rankings boost in search results.
Check that SSL is enabled on your Webflow-hosted site: go to project settings → hosting → advanced publishing options and make sure SSL is enabled. If it's not, enable it and save the changes. SSL is freely included in any site plan.
Make sure to update your DNS to point to our secure servers. To make sure you don't miss a step, follow the guide called Connecting a custom domain guide starting at step 2.
After following all the steps to set up SSL hosting on your site, visit your site in any browser. It should load with an https:// prefix OR with no security warning. You could also see a lock icon in the URL bar indicating that your site is secure. Clicking this icon, will provide more information about the site's security.
Staring 14 November 2018, SSL will be enabled by default on all new projects.
Now that you've enabled SSL and publish your site to your new HTTPS URL, Google needs to know that your site was moved:
If you see errors and warnings instead of the secure site indicator, troubleshoot following the steps below.
Usually, SSL certificates are generated within seconds of enabling SSL and publishing your site. However, sometimes it may take longer (around an hour or two). To ensure that there are no other issues with your SSL setup, first:
After following these steps, if you're still experiencing issues, contact support.
When you enable SSL, your domain will be redirected to https://www.yourdomain.com if your root domain (the one without www) doesn't have a CNAME record associated to it in your DNS settings. That's why we recommend that you set the www version of your domain as the default domain in your project settings → hosting → custom domain settings. Read more about setting the root domain as the default domain on SSL hosting.
So, if you've set the root domain as the default domain, your site will try to redirect to the root domain while the SSL setting is redirecting it to the www version. This is why you'll see the error code: ERR_TOO_MANY_REDIRECTS and additional www.www. prefixes in the URL bar. To fix this issue, go to project settings → hosting → custom domain and set the www version of your domain as the default domain. Publish your site and clear the browsing cache before visiting your site.
Sometimes, in Chrome, you'll see the an info icon ⓘ instead of the secure lock. Clicking this icon will provide explanation about the error. Usually, it will say that "your connection to this site is not secure". This happens when you have mixed content on your site or that specific page you're browsing.
Mixed content means that your site's code contains http URLs. They can be in links, custom code, or any other link field in your site. When there's mixed content like this on a page, the not secure label will show for those URLs. Browsers may not load content served on http://.
You can find out what and where the mixed content is by accessing the console of your browser. Shortcut: Command+Option+J (Mac) or Control+Shift+J (Windows). The message in the console will identify the http URL and might inform you if it's in a form or somewhere else. Visit mixed.badssl.com and access the console to see an example of this error.
All you need to do is replace the http URL with the https version if i exists. Most URLs will have https equivalents. So, replacing the prefix (http → https) will fix your issue. However, some code or images might not be hosted on secure sites. You'll need to find or host them on secure external hosts.
Always make sure to use URLs that start with https:// whenever you paste URL links in your:
Webflow hosts all your assets on a secure host.
Previously, you were able to paste images into rich text elements and rich text fields. If you have such content on your site, make sure to upload the images in the rich text editor. We'll host them with our secure host.
If your site isn't loading and instead the browser says "your connection is not private" or "This Connection is Untrusted":
Something went wrong while submitting the form. Please contact email@example.com