SSL

If you want to improve security on your store, then you can activate SSL certificates in your Shopify admin. SSL certificates encrypt your store's content and publish it securely using HTTPS instead of HTTP.

For example, if your store's URL is http://www.example.com, it will be updated to https://www.example.com after you activate SSL certificates. Customers who use the original URL will be redirected to the encrypted online store.

Having SSL certificates on your online store lets you:

  • add a new layer of security to your online store by using HTTPS instead of HTTP
  • build customer trust by displaying the SSL padlock icon beside your online store's URL:

SSL Padlock icon

If your online store displays content (including images, videos, or webfonts) that's hosted somewhere other than Shopify, then you can verify it on the Domains settings page in your Shopify admin to make sure it doesn't invalidate your SSL certificate.

Best practices for SSL content

You can take the following actions to make sure your store's online content stays secure:

  • host all of your online store's content on Shopify or a server that publishes over HTTPS (learn about uploading files to your Shopify admin)
  • host your video content on a service that publishes over HTTPS
  • if you're using webfonts, make sure they're published over HTTPS from their source.

HSTS

HTTP Strict Transport Security (HSTS) is a mechanism that forces browsers to access a website with an HTTPS connection only. Using a secure connection in this way prevents certain kinds of network attacks, which helps ensure the safety of your information and your customers' information.

An HSTS policy can be set on a domain for a fixed length of time. Shopify's default length is 90 days.

If you remove a domain or leave Shopify entirely, then this policy will remain in effect on the domain for a further three months, but you won't need to take any additional steps as long as you move the domain to another platform that uses HTTPS.

If you move the domain to a platform that doesn't use HTTPS, then for the next three months after removing the domain from Shopify, anyone attempting to access the site will see an error message in their browser that says the site is not trusted or the certificate is not valid.

If you have additional questions, then please contact Shopify Support.

Updating domain sitemap

You can manually update your domain's sitemap and notify search engines immediately when your storefront URLs change from HTTP to HTTPS.

Activating SSL certificates for your domain can temporarily affect your website's organic traffic. If you're using webmaster tools to manage your website (like Google Webmaster Tools), then you can manually update your domain's sitemap and notify search engines immediately when your storefront URLs change from HTTP to HTTPS.

This process is different depending on the webmaster tools that you use.

Google Webmaster Tools

This example shows how to update your domain's sitemap using Google Webmaster Tools. If you haven't used Google Webmaster Tools before, then you need to verify your Shopify domain first.

To update your domain's sitemap using Google Webmaster Tools:

  1. Log in to your Google Webmaster Tools account.
  2. From the Search Console, enter your domain (including the prefix HTTPS://), and then click ADD PROPERTY.
  3. Click the name of the domain that's been encrypted using SSL.
  4. Click Crawl, and then click Sitemaps.
  5. Click ADD/TEST SITEMAP.
  6. Enter your domain's new HTTPS sitemap (for example: https://www.your-shopify-domain.com/sitemap.xml).
  7. Remove your domain's HTTP sitemap from its profile.

Ready to start selling with Shopify?

Try it free