The short answer
Webflow provides a free SSL certificate for your site. It is provisioned for you and renewed automatically. You do not buy it, install it, or think about it.
Which means if your SSL check is failing on a Webflow site, the certificate itself is rarely the problem. It is usually one of three things: DNS pointing somewhere unexpected, mixed content on your pages, or a custom certificate that quietly expired.
Who issues your certificate
Webflow uses Let's Encrypt and Google Trust Services. Most people never need to know this. It matters in exactly one situation.
If your domain has CAA records, which tell certificate authorities who is allowed to issue for you, they must permit both. A CAA record that only allows one issuer will silently block renewal from the other. Certificates then fail to renew and nobody knows why until the site goes red.
If you have never heard of CAA records, you almost certainly do not have any, and this does not apply to you.
Check your DNS first
A certificate cannot provision for a domain that is not pointing at Webflow properly. Webflow changed its DNS values on 21 April 2025, and a lot of older sites and older tutorials still use the old ones.
The current values:
A @ 198.202.211.1
CNAME www cdn.webflow.com
TXT _webflow (the verification value from your Webflow project)The verification value is specific to your project, so take it from your Webflow site settings rather than from any guide. If you see proxy-ssl.webflow.com in your DNS, that is a legacy value. Always confirm current values in Webflow itself before changing DNS.
The order matters, and it is not optional
This is the single most common way people break their own site while trying to secure it. Do these in order and never skip ahead.
- 1.Certificate first. Confirm https:// loads your site with no warning, on both the root domain and www.
- 2.Then force HTTPS. Make sure every http:// request redirects to https://.
- 3.Then HSTS. This tells browsers to refuse http:// for your domain from now on.
About HSTS on Webflow
Good news, and slightly odd news. On non-Enterprise Webflow sites, HSTS is enabled automatically and cannot be disabled. Step three is done for you.
On Enterprise it becomes a toggle in Advanced publishing options, which means it is something you can forget to turn on. If you are on Enterprise, go and check.
One serious warning about preload. Getting onto the HSTS preload list requires max-age of at least 31536000, includeSubDomains, the preload directive, a valid certificate, an HTTP to HTTPS redirect on the same host, and every subdomain on HTTPS. It is not a checkbox to tick for a better score. Inclusion cannot easily be undone, and removal takes months to reach users through a Chrome update. If any subdomain of yours is not on HTTPS, preload will break it for everyone, and you will wait months for the fix to land. Do not do this casually.
Mixed content, the usual culprit
Your certificate is fine, your site loads over https, and the browser still shows a warning. That is mixed content. Something on the page is being loaded over plain http.
The browser will not show the padlock cleanly if the page pulls in insecure resources. On Webflow, look for:
- →Images or files linked with a full http:// URL instead of a relative path or https.
- →Embed and custom code blocks pointing at http:// scripts, stylesheets or fonts. These are the most common offender because they were pasted in from somewhere else.
- →Head and footer custom code at site level and page level. Check both, they are separate.
- →Third-party embeds from older services that still serve over http. If the service has no https version, replace it.
Finding mixed content
Open your live site, open your browser's developer tools, and look at the console. Mixed content warnings name the exact URL that is loading insecurely. Fix them by changing http:// to https:// where the resource supports it, or removing the resource where it does not.
One note: protocol-relative URLs, the ones starting with //, are a legacy technique and no longer recommended. Use the full https:// URL.
The custom certificate trap
Webflow supports uploading your own certificate on Enterprise only. If you are considering it, know this first.
Webflow does not automatically renew custom SSL certificates. That is their own documented behaviour. You take on the renewal yourself, forever, manually.
So an Enterprise site with a custom certificate is the one Webflow configuration where SSL can just expire one day. The free automatic certificate has no such failure mode. Unless you have a genuine reason for a custom certificate, such as a compliance requirement or an EV certificate mandate, the free one is the safer choice. This is a rare case where the cheaper option is also the more reliable one.
If you have Cloudflare in front
If you run your site through your own Cloudflare zone, which Webflow officially supports, two things matter for SSL.
Your SSL mode must be Full (Strict). Anything else and you are either breaking the connection or pretending to encrypt it.
And if your Webflow certificate will not issue at all, check for a Cloudflare Zone Hold. A zone hold blocks Webflow SSL issuance, and it is a quiet failure that is easy to miss while you are looking at DNS. This comes up on the security headers route too, since Cloudflare is how non-Enterprise sites get real header control.
Check it worked
Once the certificate is live and mixed content is cleared, test it. Our free safety check reports your certificate status alongside security headers, email authentication and everything else a visitor would notice.
Run your site through our free safety check to confirm the fix is live, and see what else a shopper would notice.
Run a free checkFrequently asked questions
Does Webflow provide free SSL?
Yes. Every Webflow site gets a free certificate, provisioned automatically and renewed automatically. You do not need to buy one or install anything. Webflow uses Let's Encrypt and Google Trust Services as its certificate authorities.
My site has a certificate but the browser still shows a warning. Why?
Almost always mixed content. The page is loading something over plain http, usually an image with a hardcoded URL or a script in a custom code embed. Open your browser console on the live site and it will name the exact URL. Fix the http:// references to https:// or remove them.
Can I upload my own SSL certificate to Webflow?
Only on Enterprise, and there is a real catch. Webflow does not automatically renew custom SSL certificates. The renewal becomes your job, permanently, and forgetting it takes your site down. The free automatic certificate has no such risk, so unless you have a specific requirement, stay with it.
Should I enable HSTS preload on my Webflow site?
Be careful. Preload requires max-age of at least a year, includeSubDomains, the preload directive, a valid certificate, an HTTP to HTTPS redirect, and every subdomain on HTTPS. Inclusion cannot easily be undone and removal takes months to reach users via a Chrome update. If any subdomain is not on HTTPS, you will break it for everyone. Not worth it for a scanner score.
Do I need to enable HSTS on Webflow?
On a non-Enterprise site, no. It is enabled automatically and cannot be disabled. On Enterprise it is a toggle in Advanced publishing options, so check that it is actually on.
Why will my certificate not issue?
Check your DNS points at Webflow using their current values, which changed on 21 April 2025. If you run Cloudflare in front, check for a Cloudflare Zone Hold, which blocks Webflow SSL issuance. Also check for CAA records, since they must allow both Let's Encrypt and Google Trust Services.