SSL

After you select a Shopify plan and remove the password from your online store, you can activate SSL certificates in your Shopify admin to encrypt your online store's content and publish it securely using HTTPS instead of HTTP. For example, if your store's URL is http://www.boutique.com, it will be updated to https://www.boutique.com after you activate SSL certificates. Customers who use the original URL will be redirected to the encrypted online store.

Having SSL certificates on your online store lets you:

  • add a new layer of security—256-bit encryption—to your online store by using HTTPS instead of HTTP
  • build customer trust by displaying the SSL padlock icon beside your online store's URL:
Ssl padlock icon

If your online store displays content (including images, videos, or webfonts) that's hosted somewhere other than Shopify, then you can verify it on the Domains settings page in your Shopify admin to make sure it doesn't invalidate your online store's SSL certificate.

Tip

SSL certificates are activated by default in Shopify for your store's checkout, and for any content that's hosted on your .myshopify.com domain.

Best practices for SSL content

There are a few things you can do to make sure your online store's content stays secure:

  • host all of your online store's content on Shopify or a server that publishes over HTTPS (learn about uploading files to your Shopify admin)
  • host your video content on a service that publishes over HTTPS
  • if you're using webfonts, make sure they're published over HTTPS from their source.

HSTS

HTTP Strict Transport Security (HSTS) is a mechanism that forces browsers to access a website with an HTTPS connection only. Using a secure connection in this way prevents certain kinds of network attacks, which helps ensure the safety of your information and your customers' information.

HSTS policy can be set on a domain for a fixed length of time. Shopify's default length is three months (90 days).

If you remove a domain or leave Shopify entirely, then this policy will remain in effect on the domain for a further three months, but you won't need to take any additional steps as long as you move the domain to another platform that uses HTTPS.

If you move the domain to a platform that doesn't use HTTPS, then for the next three months after removing the domain from Shopify, anyone attempting to access the site will see an error message in their browser that says the site is not trusted or the certificate is not valid.

If you have additional questions, then please contact Shopify Support.

Want to discuss this page?

Visit the Shopify Community

Ready to start selling online with Shopify?

Try it free