Troubleshoot security issues on your Webflow website.
Websites are either served on HTTP or HTTPS. HTTPS, also known as "HTTP over TLS" or “HTTP over SSL,” is recognized as the secure protocol.
Most browsers will state if a site is secure (i.e., loaded over HTTPS) with a “lock” icon next to the website's address in the URL bar. Some browsers also state if a site is not secure. “Not secure” errors are usually shown for web pages that aren’t using a private connection — these web pages could be security risks for password and credit card information.
To learn more about your site's security, you can click the icon/label that appears next to your site's URL in the address bar.
For various security and privacy reasons, your browser may not be able to load your site. In these cases, you’ll see an error page titled “Your connection is not private” or “This connection is untrusted.” You can visit expired.badssl.com to test how your browser responds to SSL errors.
You’ll want to make sure that your site is secure no matter which browser your site visitors are using. With Webflow SSL hosting, you’re good to go! Plus, Google rewards sites served on HTTPS with a small rankings boost in search results.
As of 14 November 2018, SSL is enabled by default on all new Webflow-hosted sites. However, if you disabled SSL and want to re-enable it, you can do so in Site settings.
To enable SSL hosting on a site:
Important: Each time you disable or enable SSL on a Webflow-hosted site, you’ll need to update your DNS records to ensure that your site works correctly.
After enabling SSL hosting on your site, you can visit your site in any browser. It should load with an https:// prefix OR with no security warning. You might also see a “lock” icon in the URL bar indicating that your site is secure. Clicking the “lock” icon provides more information about the site’s security.
Must know: After you enable SSL, Webflow automatically sets a 301 redirect for your domain’s http:// URL. This will send anyone visiting the old link to the new https:// version.
Now that you’ve re-enabled SSL and published your site to your new HTTPS URL, Google needs to know that your site was moved:
If you see an error or warning instead of the secure “lock” icon in the URL bar, you can troubleshoot using the steps below.
Usually, SSL certificates are generated within seconds of enabling SSL and publishing your site. However, sometimes it may take longer (around an hour or two). To ensure that there are no other issues with your SSL setup, you can:
If you’re still experiencing issues after following these steps, please contact support.
When you enable SSL, your domain will be redirected to https://www.yourdomain.com if your root domain (the one without www) doesn’t have a CNAME record associated with it in your DNS settings. That’s why we recommend that you set the www version of your domain as the default domain.
If you’ve set the root domain as the default domain, your site will try to redirect to the root domain while the SSL setting is redirecting it to the www version. This is why you’ll see the error code: ERR_TOO_MANY_REDIRECTS. Learn more about the “too many redirects” error.
To fix this issue, set the www version of your domain as the default domain. Then, re-publish your site and clear your browsing cache before visiting your site again.
Sometimes, in the Chrome URL bar, you’ll see the “info” icon instead of the secure “lock” icon. Clicking this icon will provide an explanation about the error. Typically, it’ll say “Your connection to this site is not fully secure.” This can happen when you have mixed content on a site or web page.
If you have mixed content, your site’s code contains HTTP URLs. These URLs could be in links, custom code, or any other link field in your site. When there’s mixed content like this on a web page, the “not secure” label will show for those URLs. Some browsers may not load content served on HTTP.
You can find out what and where the mixed content is by accessing the console of your browser. To open the browser console, type Command + Option + J (on Mac) or Control + Shift + J (on Windows). The message in the console will identify the HTTP URL and may inform you if it’s in a form or somewhere else.
Then, once you’ve found the HTTP URLs, you can replace them with the HTTPS version, if it exists. Most URLs will have HTTPS equivalents, however, some code or images might not be hosted on secure sites. You'll need to find or host them on secure external hosts.
Always make sure to use URLs that start with https:// whenever you paste URL links in these places:
Need to know: Webflow hosts all your assets on a secure host. Previously, you were able to paste images into rich text elements and rich text fields. If you have such content on your site, make sure to upload the images in the rich text editor. We’ll host them with our secure host.
If your site isn’t loading and instead the browser says “Your connection is not private” or “This Connection is Untrusted”:
If you still need help, please contact Webflow support.