HTTPS (SSL)
Last updated
Was this helpful?
Web-Dev-Hub-Docs
Last updated
Was this helpful?
Netlify offers free HTTPS on all sites, including automatic certificate creation and renewal. Our certificates use the modern TLS protocol, which has replaced the now deprecated SSL standard.
HTTPS brings a lot of advantages:
Content integrity: Without HTTPS, free Wi-Fi services can inject ads into your pages.
Security: If your site has a login or accepts form submissions, HTTPS is essential for your users’ security and privacy.
SEO: Google search results prioritize sites with HTTPS enabled.
Referral analytics: HTTPS-enabled sites will not send referral data to sites without HTTPS enabled.
HTTP/2: Boost your sites’ performance — requires HTTPS.
Netlify offers three different ways of providing a certificate for HTTPS.
Netlify-managed certificates are offered to all Netlify sites for free. Find details for this in the section on .
Custom certificates are a way for you to provide a certificate that matches your specifications — things like a wildcard certificate or an Extended Validation (EV) certificate. If you’d like to provide your own custom certificate, refer to below for more details.
Certificates with dedicated IPs are available for people who do not want to use certificates. If you want your own unique certificate available to all browsers without requiring SNI and without a shared certificate as fallback, . (This feature may not be available on all .)
When you create a new site on Netlify, it’s instantly secured at the Netlify-generated URL (for example, https://brave-curie-67195.netlify.app). If you add a , we will automatically provision a certificate with , enabling HTTPS on your domain. Certificates are generated and renewed automatically as needed.
Use Netlify DNS for automatic wildcards
In rare circumstances, there can be problems when provisioning a certificate for some domains. You can check the status of your site’s certificates in Site settings > Domain management > HTTPS.
#Domain aliases
Avoid rate limiting for subdomains
If you already have a certificate for your domain and prefer that to Netlify’s domain-validated certificate, you can install your own.
To install a certificate, you’ll need:
the certificate itself, in X.509 PEM format (usually a .crt file)
the private key you used to request the certificate
a chain of intermediary certificates from your Certificate Authority (CA)
In Site settings > Domain management > HTTPS, select Set Custom Certificate, then enter the information above.
Renewal is not automatic
Netlify validates that the certificate matches the custom domain for your site and that the DNS record for the domain is pointed at Netlify, then installs your certificate. If your certificate covers several of your sites (in other words, if it’s a wildcard certificate or uses Subject Alternative Names), you can install it on one site, and it will apply to all other sites covered by the certificate.
Your custom domain must be accessible in the www subdomain. For example: www.petsofnetlify.com.
_headers
netlify.toml
When this is set, the browser assumes that your site, along with all subdomains, can be accessed using HTTPS, and it will force those connections.
This action is not easily reversible
When HTTPS is enabled for your site, Netlify supports HTTP/2, a newer internet protocol engineered for faster web performance. This brings support for core HTTP/2 features like request multiplexing and compressed headers, but does not include server push capability.
If your domain uses , we’ll automatically provision a wildcard certificate, which ensures instant HTTPS for all of the Netlify sites using subdomains of that domain.
If you’re having trouble with the automatic provisioning, visit the for an error message guide and other tips.
Your certificate will include all your when it’s issued, but note that DNS also needs to be configured in advance for all aliases for us to include them on your certificate. Visit the for more information on confirming the new configuration.
If you have more than 5 aliases that are subdomains of the same domain, you might run into rate limits with our certificate provider. In that case we recommend you provide your own wildcard certificate using Netlify DNS or for our assistance for getting them set up with our certificate provider. Please do this before adding any aliases for best results!
When the time comes to renew your custom certificate, Netlify cannot do this automatically. You will need to renew it at your Certificate Authority, then follow the steps above to install it on your Netlify site. For automatic renewal, you can switch to a .
Netlify’s standard HTTPS handling relies on a browser standard called , or SNI. It makes provisioning and verifying certificates more efficient, but it’s not supported on , like Internet Explorer 7 on Windows XP, or Android 4. Site visitors using these browsers will encounter a security message on your site before they can access it over HTTPS. You might also experience issues with certain automated tools, like PhantomJS below 2.0 (early 2015).
If you don’t want to use an SNI-based certificate for your site, Netlify offers the option for a traditional certificate with a dedicated IP. Please for more information. (This feature may not be available on all .)
Most major browsers use a list of predefined domains to automatically connect to websites using HTTPS. This list is called the HTTP Strict Transport Security (HSTS) preload list. Your site can be included in this list if you follow the requirements in :
You must include this header in your or :
Please make sure to only use the directive preload once you’re confident that the domain and all subdomains are ready to be served using only HTTPS, since this setting is hard to remove once it’s in place, .