SSL and domain security in HubSpot

Written by HubSpot Support | Feb 18, 2020 5:00:00 AM

When you connect a domain to HubSpot, SSL will automatically be provisioned for that domain. This usually takes a few minutes, but can take up to four hours.

Please note: if you encounter any errors during the SSL provisioning process, please see our troubleshooting guide for SSL certificate errors.

SSL

Standard SSL provided through HubSpot is free and will automatically renew the certificate 30 days before the expiration date. To renew the certificate, both of the conditions must be true:

You are still a HubSpot customer.
You still have your domain CNAME pointed to the secure server which was set up in the initial process.

You can also purchase dedicated SSL or custom third-party certificates through HubSpot instead of the standard SAN certificate. To set this up, contact your Customer Success Manager. You cannot use a pre-existing SSL certificate, as it would compromise the security of the certificate. HubSpot must generate the certificate signing request (CSR) in order for it to be used with HubSpot.

If you're using a custom certificate, a HubSpot team member will reach out 14-30 days ahead of time to discuss renewal and any necessary technical steps.

Please note: DigiCert is the certificate authority that provisions a certificate for your domain. If your domain has a Certification Authority Authorization (CAA) record, ensure digicert.com is listed so SSL can be provisioned or renewed.

Pre-provision your SSL certificate

Verifying your domain allows HubSpot to provision SSL before connecting the domain. This means there will be no SSL downtime when you make DNS changes to point your domain to HubSpot. To verify the ownership of a domain during the domain connection process:

In step 1 of the Verify URLs stage, click Click here.

In the dialog box, click Send verification email. This will prompt an email to the email address registered with the domain, as stored with who.is.

Click the link in the email.

If you don't receive a validation email:

Check your spam and junk folder for an email from <support@certvalidate.cloudflare.com>.
Check the email address registered to your domain. Ensure you are checking this email's inbox.
Add your email address to who.is.

If you check your spam and junk folder and are not able to add your email to who.is, contact HubSpot Support about alternative pre-provisioning methods..

Domain security settings

You can customize the security settings for each subdomain connected to HubSpot. Security settings include your website protocol (HTTP vs. HTTPS), TLS version, and your website security headers.

To update a domain's security settings:

In your HubSpot account, click the settings icon settings in the main navigation bar.
In the left sidebar menu, navigate to Domains & URLs.
Click Edit next to the domain, then select Update domain security settings.

HTTPS protocol

By default, HubSpot enables HTTPS protocol once SSL has been provisioned. This will automatically send your site visitors to the secure https version of your site, rather than the insecure http.

Once this is enabled, content loaded over HTTP, such as images and stylesheets, will not load on your site. Content loaded over HTTP on an HTTPS site is referred to as mixed content. If you're seeing mixed content errors on your page, check out our troubleshooting guide.

To disable HTTPS protocol, clear the Require HTTPS checkbox.

TLS version

By default, HubSpot servers will accept a connection using TLS 1.0 and above.

To change which TLS versions are supported, click the TLS version dropdown menu and select the lowest TLS version that you want to support. Connections attempting to use a TLS version lower than the minimum set will fail.

Security headers

Configure your domain security by enabling security header settings per domain.

HTTP Strict Transport Security (HSTS)

You can add an extra layer of security to your website by enabling HTTP Strict Transport Security (HSTS). HSTS instructs browsers to convert all HTTP requests to HTTPS requests instead. Enabling HSTS adds the HSTS header to responses for requests made to the URLs on the subdomain.

To enable HSTS, click the Security headers tab, then select the HTTP Strict Transport Security (HSTS) checkbox.

To set how long browser should remember to convert HTTP to HTTPS requests, click the Duration (max-age) dropdown menu and select a duration.
To include the preload directive in the domain's HSTS header, select the Enable preload checkbox. Learn more about HSTS preloading.
To include the HSTS header in all subdomains under the selected subdomain, select the Include subdomains checkbox. For example, if HSTS is enabled for www.examplewebsite.com and the Include subdomains checkbox is selected, cool.www.examplewebsite.com will also have HSTS enabled.

Learn more about the HSTS header.

Additional domain security settings (CMS Hub Enterprise only)

If you have a CMS Hub Enterprise account, you can enable the additional security settings below.

X-Frame-Options

Enable the X-Frame-Options response header to indicate whether or not a browser can render a page in <frame>, <iframe>, <embed>, or <object> HTML tags.

To enable X-Frame-Options, select the X-Frame-Options checkbox, then select a Directive from the dropdown menu:

To prevent pages on your domain from being loaded on any page in the above tags, select deny.
To allow pages on your domain to load in the above tags across your domain only, select sameorigin.

Learn more about the X-Frame-Options header.

X-XSS-Protection

Enable the X-XSS-Protection header to add a layer of security for users of older web browsers by preventing pages from loading when cross-site scripting is detected.

To enable this header, select the X-XSS-Protection checkbox, then select an XSS setting from the dropdown menu:

To disable XSS filtering, select 0.
To remove the unsafe parts of a page when a cross-site scripting attack is detected, select 1.
To prevent the rendering of a page if an attack is detected, select 1; mode=block.

Learn more about the X-XSS-Protection header.

X-Content-Type-Options

Enable the X-Content-Type-Options header to opt pages out of MIME type sniffing. Enabling this setting tells the browser to follow the MIME types advertised in the Content-Type headers.

Learn more about the X-Content-Type-Options header.

Content-Security-Policy

Enable the Content-Security-Policy header to control resources that the user agent can load on a page. This header helps to prevent cross-site scripting attacks.

To enable the Content-Security-Policy header, select the Content-Security-Policy checkbox, then specify your Policy directives. For a list of available directives, check out Mozilla's Content-Security-Policy header guide.

To allow <script> elements to execute only if they contain a nonce attribute matching the randomly-generated header value, select Enable nonce.

Content-Security-Policy-Report-Only

Enable the Content-Security-Policy-Report-Only header to monitor policy directives. Policy directives will not be enforced, but the effects will be monitored, which can be useful when experimenting with policies.

To enable this header, select the Content-Security-Policy-Report-Only checkbox, then enter your Policy directives.

To allow <script> elements to execute only if they contain a nonce attribute matching the randomly-generated header value, select Enable nonce.

Learn more about the Content-Security-Policy-Report-Only header.

Referrer-Policy

Enable the Referrer-Policy header to control how much referrer information should be included with requests.

To enable this header, select the Referrer-Policy checkbox, then select a Directive from the dropdown menu.

For a definition of the available directives, see Mozilla's Referrer-Policy guide.

Feature-Policy

Enable the Feature-Policy header to control the use of browser features on the page, including <iframe> element content.

To enable this header, select the Feature-Policy checkbox, then enter your Directives. For a list of directives, see Mozilla's Feature-Policy guide.

View full post