Troubleshoot website security issues
Troubleshoot security issues on your Webflow website.
Websites are either served on HTTP or HTTPS. HTTPS, also known as "HTTP over TLS" or “HTTP over SSL,” is recognized as the secure protocol.
Most browsers will state if a site is secure (i.e., loaded over HTTPS) with a “lock” icon next to the website's address in the URL bar. Some browsers also state if a site is not secure. “Not secure” errors are usually shown for web pages that aren’t using a private connection — these web pages could be security risks for password and credit card information.
To learn more about your site's security, you can click the icon/label that appears next to your site's URL in the address bar.
For various security and privacy reasons, your browser may not be able to load your site. In these cases, you’ll see an error page titled “Your connection is not private” or “This connection is untrusted.” You can visit expired.badssl.com to test how your browser responds to SSL errors.
- Chrome: Check if a site’s connection is secure
- Firefox: How can you tell if your connection to a website is secure?
- Safari: Determine whether a website is encrypted
How to secure your Webflow site
You’ll want to make sure that your site is secure no matter which browser your site visitors are using. With Webflow SSL hosting, you’re good to go! Plus, Google rewards sites served on HTTPS with a small rankings boost in search results.
How to enable SSL
As of 14 November 2018, SSL is enabled by default on all new Webflow-hosted sites. However, if you disabled SSL and want to re-enable it, you can do so in Site settings.
To enable SSL hosting on a site:
- Go to Site settings > Publishing tab > Advanced publishing options
- Toggle Enable SSL “on”
Important: Each time you disable or enable SSL on a Webflow-hosted site, you’ll need to update your DNS records to ensure that your site works correctly.
After enabling SSL hosting on your site, you can visit your site in any browser. It should load with an https:// prefix OR with no security warning. You might also see a “lock” icon in the URL bar indicating that your site is secure. Clicking the “lock” icon provides more information about the site’s security.
Must know: After you enable SSL, Webflow automatically sets a 301 redirect for your domain’s http:// URL. This will send anyone visiting the old link to the new https:// version.
Note: Webflow SSL hosting certificates are automatically renewed when the old one expires, as long as the DNS records are continuously pointed to Webflow and the site is loading on Webflow SSL hosting servers. The certificates are not set to renew in advance, so your monitoring tool may report warnings if you configured it to warn when the certificate is not installed in advance. Keep in mind, Webflow does not automatically renew custom SSL certificates. You are required to manually update your custom SSL certificate before it expires.
How to tell Google your site was moved
Now that you’ve re-enabled SSL and published your site to your new HTTPS URL, Google needs to know that your site was moved:
- Add the HTTPS property to your Search Console
- Resubmit your sitemap to Google
- Update the protocol of your website in Google Analytics from HTTP to HTTPS
Note: Google Console treats HTTP and HTTPS as separate sites. You can keep both the HTTP and HTTPS websites in Google Search Console. To direct site visitors towards your HTTPS URL, you can set this URL as canonical, although Google may choose a different URL as canonical. Learn more about how Google chooses canonical URLs.
How to troubleshoot security issues
If you see an error or warning instead of the secure “lock” icon in the URL bar, you can troubleshoot using the steps below.
Your site doesn’t load correctly after enabling SSL
Usually, SSL certificates are generated within seconds of enabling SSL and publishing your site. However, sometimes it may take longer (around an hour or two). To ensure that there are no other issues with your SSL setup, you can:
- Check that SSL is enabled in Site settings > Publishing tab > Advanced publishing options
- Check that your DNS settings are correctly pointing your domain to Webflow’s secure servers
- Re-publish your site
- Clear your browsing cache
- Check your site in incognito mode
If you’re still experiencing issues after following these steps, please contact support.
You're getting a “Too many redirects” or “Redirect Loop” error
When you enable SSL, your domain will be redirected to https://www.yourdomain.com if your root domain (the one without www) doesn’t have a CNAME record associated with it in your DNS settings. That’s why we recommend that you set the www version of your domain as the default domain.
If you’ve set the root domain as the default domain, your site will try to redirect to the root domain while the SSL setting is redirecting it to the www version. This is why you’ll see the error code: ERR_TOO_MANY_REDIRECTS. Learn more about the “too many redirects” error.
To fix this issue, set the www version of your domain as the default domain. Then, re-publish your site and clear your browsing cache before visiting your site again.
Some content on your site doesn't load
Sometimes, in the Chrome URL bar, you’ll see the “info” icon instead of the secure “lock” icon. Clicking this icon will provide an explanation about the error. Typically, it’ll say “Your connection to this site is not fully secure.” This can happen when you have mixed content on a site or web page.
If you have mixed content, your site’s code contains HTTP URLs. These URLs could be in links, custom code, or any other link field in your site. When there’s mixed content like this on a web page, the “not secure” label will show for those URLs. Some browsers may not load content served on HTTP.
How to find the HTTP links
You can find out what and where the mixed content is by accessing the console of your browser. To open the browser console, type Command + Option + J (on Mac) or Control + Shift + J (on Windows). The message in the console will identify the HTTP URL and may inform you if it’s in a form or somewhere else.
Then, once you’ve found the HTTP URLs, you can replace them with the HTTPS version, if it exists. Most URLs will have HTTPS equivalents, however, some code or images might not be hosted on secure sites. You'll need to find or host them on secure external hosts.
Note: Having unsecure code on your site can also expose sensitive customer information! It’s important to ensure your custom code won’t create any security vulnerabilities.
Best practice: Use HTTPS everywhere
Always make sure to use URLs that start with https:// whenever you paste URL links in these places:
- Link settings for link elements and inline-links in text elements
- Inline-links in rich text elements and rich text fields
- Social icons
- Video elements and video fields
- Video and media links in rich texts
- CMS link fields
- Page Open Graph settings
- Page Site search image
- Site custom code and page custom code
- On-page custom code embed element
- External form action URLs
- Sitemap link in your robots.txt
Need to know: Webflow hosts all your assets on a secure host. Previously, you were able to paste images into rich text elements and rich text fields. If you have such content on your site, make sure to upload the images in the rich text editor. We’ll host them with our secure host.
Your site doesn't load and says your connection is not private
If your site isn’t loading and instead the browser says “Your connection is not private” or “This Connection is Untrusted”:
- Make sure SSL is enabled and your DNS records are correct
- Publish your site again
- Test in incognito mode
- If it loads in incognito mode, clear your browser’s cache
- If it still doesn’t load, follow this guide from Google
If you still need help, please contact Webflow support.