SSL

If you want to improve security on your store, then you can activate SSL certificates in your Shopify admin. SSL certificates encrypt your store's content and publish it securely using HTTPS instead of HTTP.

For example, if your store's URL is http://www.example.com, it will be updated to https://www.example.com after you activate SSL certificates. Customers who use the original URL will be redirected to the encrypted online store.

Having SSL certificates on your online store lets you:

  • add a new layer of security to your online store by using HTTPS instead of HTTP
  • build customer trust by displaying the SSL padlock icon beside your online store's URL:

SSL Padlock icon

If your online store displays content (including images, videos, or webfonts) that's hosted somewhere other than Shopify, then you can verify it on the Domains settings page in your Shopify admin to make sure it doesn't invalidate your SSL certificate.

Best practices for SSL content

You can take the following actions to make sure your store's online content stays secure:

  • Host all of your online store's content on Shopify or a server that publishes over HTTPS (learn about uploading files to your Shopify admin).
  • Host your video content on a service that publishes over HTTPS.
  • When using webfonts, make sure they're published over HTTPS from their source.
  • Don't use CAA (Certification Authority Authorization) records. If CAA records are required, the following Certificate Authorities must be added to each CAA record:

HSTS

HTTP Strict Transport Security (HSTS) is a mechanism that forces browsers to access a website with an HTTPS connection only. Using a secure connection in this way prevents certain kinds of network attacks, which helps ensure the safety of your information and your customers' information.

An HSTS policy can be set on a domain for a fixed length of time. Shopify's default length is 90 days.

If you remove a domain or leave Shopify entirely, then this policy will remain in effect on the domain for a further three months, but you won't need to take any additional steps as long as you move the domain to another platform that uses HTTPS.

If you move the domain to a platform that doesn't use HTTPS, then for the next three months after removing the domain from Shopify, anyone attempting to access the site will see an error message in their browser that says the site is not trusted or the certificate is not valid.

If you have additional questions, then contact Shopify Support.

Updating domain sitemap

You can manually update your domain's sitemap and notify search engines immediately when your storefront URLs change from HTTP to HTTPS.

Activating SSL certificates for your domain can temporarily affect your website's organic traffic. If you're using webmaster tools to manage your website (like Google Webmaster Tools), then you can manually update your domain's sitemap and notify search engines immediately when your storefront URLs change from HTTP to HTTPS.

This process is different depending on the webmaster tools that you use.

Google Webmaster Tools

This example shows how to update your domain's sitemap using Google Webmaster Tools. If you haven't used Google Webmaster Tools before, then you need to verify your Shopify domain first.

To update your domain's sitemap using Google Webmaster Tools:

  1. Log in to your Google Webmaster Tools account.
  2. From the Search Console, enter your domain (including the prefix HTTPS://), and then click ADD PROPERTY.
  3. Click the name of the domain that's been encrypted using SSL.
  4. Click Crawl, and then click Sitemaps.
  5. Click ADD/TEST SITEMAP.
  6. Enter your domain's new HTTPS sitemap (for example: https://www.your-shopify-domain.com/sitemap.xml).
  7. Remove your domain's HTTP sitemap from its profile.

SSL unavailable error

After you've connected your domain to Shopify, you might see the following security error in your browser:

  • Your connection is not private - Google Chrome
  • Your connection is not secure - Mozilla Firefox
  • There is a problem connecting securely to this website - Microsoft Edge

To resolve the security error, make sure that your domain record settings are configured correctly. The most common issues with domain configurations are:

After you've confirmed that your domain record settings are configured correctly, it can take between 1 to 48 hours for DNS changes to take effect. If you still see the security error message after 48 hours, then contact Shopify Support

Ready to start selling with Shopify?

Try it free