Resolve website security concerns

Websites are typically served on either HTTP or HTTPS. The term HTTPS, also referred to as “HTTP over TLS” or “HTTP over SSL,” is widely acknowledged as the secure protocol.

Most browsers indicate if a website is secure (loaded over HTTPS) by displaying a “lock” icon next to the website’s address in the URL bar. Some browsers also notify users if a site is not secure. Instances where web pages do not utilize a private connection may trigger “Not secure” errors, indicating potential security risks for sensitive information like passwords and credit card details.

Examples of the URL bar icons: A “lock” icon for “Secure”, an “info” icon for “Info or Not secure,” and an “exclamation mark in a triangle” icon for “Not secure or Dangerous”

To gain more insights into your site’s security, simply click on the icon/label positioned next to your site’s URL in the address bar.

Due to various security and privacy considerations, your browser might encounter challenges while loading your site. In such instances, you may encounter an error page titled “Your connection is not private” or “This connection is untrusted.” To test how your browser handles SSL errors, visit expired.badssl.com.

Useful references

Steps to safeguard your Webflow site

Ensuring the security of your site across all browsers used by visitors is essential. With Webflow SSL hosting, this aspect is taken care of! Also, note that Google provides a slight boost in search rankings to websites served over HTTPS.

How to activate SSL

Starting from 14 November 2018, SSL is automatically activated for all new sites hosted on Webflow. In case you disabled SSL and wish to re-enable it, follow these steps under Site settings.

To enable SSL hosting for a site:

Navigate to Site settings > Publishing tab > Advanced publishing options
Switch on Enable SSL from the options

Note: Whenever you toggle SSL on or off for a site hosted on Webflow, remember to update your DNS records to ensure smooth site functionality.

After activating SSL hosting for your site, try accessing it in any browser. It should load with an https:// prefix or without any security alerts. You may also notice a “lock” icon in the URL bar, implying that your site is secure. Clicking on the “lock” icon will provide further details on the site’s security.

Essential: Following the activation of SSL, Webflow autonomously configures a 301 redirect for your domain’s http:// URL. This action will direct anyone accessing the former link to the new https:// version.

Tip: Webflow SSL hosting certificates automatically undergo renewal once the existing one expires, given that the DNS records consistently point to Webflow and the site operates on Webflow SSL hosting servers. Renewal of certificates is not scheduled in advance, therefore, your monitoring tool might issue alerts when the certificate isn’t pre-installed. It’s important to note that Webflow does not automatically renew custom SSL certificates. It is imperative that you manually update your personalized SSL certificate before expiration.

The procedure to inform Google about your site relocation

Now that you have reinstated SSL and released your site on your new HTTPS URL, it’s necessary for Google to be notified that your site has been relocated:

Include the HTTPS property in your Search Console
Resubmit your sitemap to Google
Update your website’s protocol in Google Analytics from HTTP to HTTPS

Note: Google Console treats HTTP and HTTPS as distinct sites. Both the HTTP and HTTPS websites can be monitored in Google Search Console. To direct site visitors towards your HTTPS URL, you can establish this URL as canonical, although Google may opt for a different canonical URL. Learn more about Google’s canonical URL selection process.

Steps to solve security complications

If the secure “lock” icon is replaced with an error or warning in the URL bar, you can troubleshoot using the following steps.

Malfunctioning of your site post SSL activation

SSL certificates are usually generated instantly upon SSL activation and site publication. However, in some cases, it may take longer (approximately one to two hours). To validate the integrity of your SSL setup, undertake the following steps:

Confirm the SSL activation in Site settings > Publishing tab > Advanced publishing options
Validate that your DNS settings correctly lead your domain to Webflow’s secure servers
Re-publish your site
Clear your browser’s cache
Evaluate your site in incognito mode

If issues persist after adhering to these steps, kindly reach out to support.

Encountering a “Too many redirects” or “Redirect Loop” error

Upon SSL activation, your domain redirects to https://www.yourdomain.com in the absence of a CNAME record linked with the root domain (the one without www) in your DNS settings. Therefore, selecting the www version of your domain as the primary domain is recommended.

If the root domain is chosen as the primary domain, attempts to redirect to the root domain are thwarted by the SSL setting redirecting it to the www version, leading to the visible error code: ERR_TOO_MANY_REDIRECTS. Further insights on the “too many redirects” error can be accessed.

To rectify this issue, designate the www version of your domain as the primary domain. Subsequently, re-publish your site and clear your browser’s cache before revisiting your site

Certain content on your site fails to load

At times, the Chrome URL bar displays the “information” symbol instead of the secure “lock” icon. Clicking on this symbol provides an explanation about the anomaly. Typically, it informs, “Your connection to this site is not fully secure.” This dilemma arises due to the presence of mixed content on a site or web page.

The "info" icon for the "Info or Not Secure" error.

In instances of mixed content, the site’s code comprises HTTP URLs. These URLs may exist in links, custom code, or any other link field on the site. The presence of such mixed content triggers the “not secure” label for these URLs. Certain browsers may decline to load content served over HTTP.

Identifying the HTTP links

Determine the location and nature of mixed content by accessing your browser’s console. To open it, press Command + Option + J (on Mac) or Control + Shift + J (on Windows). The console will outline the HTTP URL along with its context, possibly highlighting its presence in a form or elsewhere.

Subsequently, on identifying the HTTP URLs, replace them with their HTTPS counterparts, where available. Most URLs will have equivalent HTTPS versions; however, certain code or images might lack hosting on secure sites. In such cases, the content should be sourced from or hosted on secure external platforms.

Tip: Unsecured code on your site can leave sensitive customer data vulnerable! It is crucial to ensure that your custom code doesn’t introduce security loopholes.

Optimal Method: Universal adoption of HTTPS

Ensure URLs beginning with https:// are incorporated when incorporating URL links across the following areas:

Link configurations for link elements and inline-links within text elements
Inline-links in rich text elements and rich text fields
Social media icons
Video elements and video fields
Video and media linkages within rich texts
CMS link fields
Page’s Open Graph settings
Page’s Site search image
Site-specific custom code and page custom code
Embedded On-page custom code elements
External form action URLs
Sitemap link in your robots.txt

Key Information: Webflow hosts all assets on a secure platform. Formerly, users could insert images directly into rich text elements and fields. If such content is present, be certain to upload the images via the rich text editor. This ensures that the images are hosted with a secure provider.

Realization of loading issues with your site displaying “Connection not secure”

In an instance where your site fails to load and the browser displays the message “Connection is not private” or “This Connection is Untrustworthy”:

Validate that SSL is operational and the DNS records are accurate
Re-publish your site
Conduct a test in incognito mode
In case of successful loading in incognito mode, clear the browser’s cache
If issues persist, follow Google’s guide provided here

For further assistance, please reach out to Webflow support.

Author
Recent Posts

Ewan Mak

Webflow Expert at Tenten

Webflow expert and frontend developer with 4+ years of experience. I bring a versatile skillset (HTML, CSS, JS, Figma, Adobe) to craft exceptional Webflow experiences. 70+ projects honed my ability to seamlessly blend custom code and visual development. Organized, deadline-driven, and passionate about growth, I excel in dynamic environments. Let's push boundaries and create something amazing.