Skip to content

SSL and domain security in HubSpot

Last updated: September 26, 2025

Available with any of the following subscriptions, except where noted:

HubSpot automatically provisions a standard SAN SSL certificate through Google Trust Services when you connect a domain to your account. Standard SSL provisioning usually takes a few minutes, but can take up to four hours.

If you've purchased the custom SSL add-on, you can upload custom SSL certificates to HubSpot. You can also configure security settings for each connected domain, such as TLS versions and security headers.

Please note: if you encounter errors during the SSL provisioning process, learn more about troubleshooting SSL certificate errors.

SSL

Standard SAN SSL provided through HubSpot is free and automatically renews 30 days before expiration. To renew the certificate:

  • You must be a HubSpot customer.
  • You must have your domain CNAME pointed to the secure server set up in the initial process.
If you'd prefer to use a different provider or certificate type, you can add custom SSL certificates to your account by purchasing the custom SSL add-on. You can't use a pre-existing SSL certificate, because this compromises the security of the certificate.
 
Please note:
  • Google Trust Services is the certificate authority that provisions a certificate for your domain. If your domain has a Certification Authority Authorization (CAA) record, ensure pki.goog is listed so SSL can be provisioned or renewed.
  • If you are using a Let's Encrypt SSL certificate, it's recommended to remove your CAA record, then add a CAA record to support Google Trust Services. This will ensure your website functions as expected on older Android devices. 

Pre-provision your SSL certificate

If you're moving your existing site to HubSpot, you may want to pre-provision an SSL certificate so there's no SSL downtime. You can pre-provision an SSL certificate while connecting a domain to HubSpot.

  1. During the connection process for a domain, a banner will be visible if your site has an existing SSL certificate. Click pre-provisioning and follow the instructions in the dialog box to start the provisioning process.

The domain manager is displayed on the verification step for connecting a domain. A box is placed around the text 'pre-provisioning' for SSL, just below the View my DNS records section.

  1. In a separate browser window or tab, sign in to your domain provider's site (e.g., GoDaddy or Namecheap).
  2. On your domain provider's site, navigate to the DNS settings where you manage your DNS records.
  3. Create new DNS records, according to the Pre-provision your SSL certificate dialog box in HubSpot. Copy the Host, and Required Data values.
  4. When finished, click Verify in the Pre-provision your SSL certificate dialog box. It can take up to four hours for your changes to process. If you get an error when clicking Verify, wait a few minutes, then click Verify to check again.

Please note: if you're using Network Solutions, Namecheap, or GoDaddy, you do not need to copy the root domain. Your provider will add a root domain to the end of the DNS record automatically.

  1. After your certificate has been successfully pre-provisioned, a confirmation banner will appear on the domain connection screen. You can then continue connecting your domain.

Set up a Domain Control Validation (DCV) record

If you see an error in your domain settings stating that "Reverse proxy domains need your action to avoid website disruption," it's recommended to add a Domain Control Validation (DCV) record to keep your SSL certificate up to date. 

  1. In your HubSpot account, click the settings settings icon in the top navigation bar.
  2. In the left sidebar menu, navigate to Content > Domains & URLs.
  3. For each domain with an Action required label, click the Actions dropdown menu and select Show DNS records.
  4. In a separate browser window or tab, sign in to your domain provider's site and access your DNS records. Learn more about DNS setup for the most common providers
  5. On your domain provider's site, navigate to the DNS settings where you manage your DNS records.
  6. Create new DNS records, according to the dialog box in HubSpot. Copy the DCV record values and paste them into the new record on your domain provider's site in the DNS settings.
  7. When you add a new DCV record to your DNS account, it can take up to 24 hours for the DNS changes to finish updating.

Domain security settings

You can customize the security settings for each subdomain connected to HubSpot. Security settings include your website protocol (HTTP vs. HTTPS), TLS version, and your website security headers.

  1. In your HubSpot account, click the settings settings icon in the top navigation bar.
  2. In the left sidebar menu, navigate to Content > Domains & URLs.
  3. Click the Actions dropdown menu and select Update domain security settings.

In the domain settings, an arrow is pointing to the Actions dropdown menu for a domain.

HTTPS protocol

You can require all pages on your site to load securely over HTTPS. Once this setting is turned on, content loaded over HTTP, such as images and stylesheets, won't load on your site. Content loaded over HTTP on an HTTPS site is referred to as mixed content. Learn how to resolve mixed content errors on your page.

  1. In your HubSpot account, click the settings settings icon in the top navigation bar.
  2. In the left sidebar menu, navigate to Content > Domains & URLs.
  3. Click the Actions dropdown menu and select Update domain security settings.
  4. In the right side panel, select the Require HTTPS checkbox to require all pages on the domain to load securely over HTTPS instead of HTTP.
  5. When finished, click Save.
In the domain manager, the right panel for domain security settings is displayed. A box is placed around the Require HTTPS checkbox.

TLS version

By default, HubSpot servers will accept a connection using TLS 1.0 and above. Connections attempting to use a TLS version lower than the minimum set will fail.

  1. In your HubSpot account, click the settings settings icon in the top navigation bar.
  2. In the left sidebar menu, navigate to Content > Domains & URLs.
  3. Click the Actions dropdown menu and select Update domain security settings.
  4. In the right side panel, click the TLS version dropdown menu and select an option.
  5. When finished, click Save.

In the domain manager, the right panel for domain security settings is displayed. An arrow points to the TLS dropdown menu to select an option.

Security headers

You can configure your domain security and turn on security headers for each domain.

HTTP Strict Transport Security (HSTS)

You can add an extra layer of security to your website by enabling HTTP Strict Transport Security (HSTS). HSTS instructs browsers to convert all HTTP requests to HTTPS requests instead. Enabling HSTS adds the HSTS header to responses for requests made to the URLs on the subdomain. Learn more about the HSTS header.

  1. In your HubSpot account, click the settings settings icon in the top navigation bar.
  2. In the left sidebar menu, navigate to Content > Domains & URLs.
  3. Click the Actions dropdown menu and select Update domain security settings.
  4. In the right side panel, click the Security headers tab.
  5. To enable HSTS, select the HTTP Strict Transport Security (HSTS) checkbox. 
    • To edit how long browsers should remember to convert HTTP to HTTPS requests, click the Duration (max-age) dropdown menu and select a duration.
    • To include the preload directive in the domain's HSTS header, select the Enable preload checkbox. Learn more about HSTS preloading.
    • To include the HSTS header in all subdomains under the selected domain, select the Include subdomains checkbox. For example, if HSTS is turned on for www.examplewebsite.com and the Include subdomains checkbox is selected, cool.www.examplewebsite.com will also have HSTS turned on.
  6. When finished, click Save.

On the Security headers tab, a box is placed around the HTTP Strict Transport Security (HSTS) checkbox. An arrow points to the Duration (max-age) dropdown menu. Followed by two checkboxes with boxes placed around them for the Enable preload and Include subdomains options.

Additional domain security settings (Content Hub only)

If you have a Content Hub Starter, Professional, or Enterprise account, you can turn on the additional security settings below.

X-Frame-Options

You can turn on the X-Frame-Options response header to show whether a browser can render a page in <frame>, <iframe>, <embed>, or <object> html tags. Learn more about the X-Frame-Options header.

  1. In your HubSpot account, click the settings settings icon in the top navigation bar.
  2. In the left sidebar menu, navigate to Content > Domains & URLs.
  3. Click the Actions dropdown menu and select Update domain security settings.
  4. In the right side panel, click the Security headers tab.
  5. To turn on X-Frame-Options, select the X-Frame-Options checkbox, then click the Directive dropdown menu to select an option:
    • To prevent pages on your domain from being loaded on any page in the above tags, select deny.
    • To allow pages on your domain to load in the above tags across your domain only, select sameorigin.
  6. When finished, click Save.
On the Security headers tab, a box is placed around the X-Frame-Options checkbox. An arrow points to the Directive dropdown menu to select an option (e.g., deny or sameorigin).

X-XSS-Protection

You can turn on the X-XSS-Protection header to add a layer of security for users of older web browsers. Turning on X-XSS-Protection prevents pages from loading when cross-site scripting is detected. Learn more about the X-XSS-Protection header.

  1. In your HubSpot account, click the settings settings icon in the top navigation bar.
  2. In the left sidebar menu, navigate to Content > Domains & URLs.
  3. Click the Actions dropdown menu and select Update domain security settings.
  4. In the right side panel, click the Security headers tab.
  5. To turn on the X-XSS-Protection header, select the X-XSS-Protection checkbox, then click the XSS setting dropdown menu and select an option:
    • To disable XSS filtering, select 0.
    • To remove unsafe parts of a page when a cross-site scripting attack is detected, select 1.
    • To prevent the rendering of a page if an attack is detected, select 1; mode=block.
  6. When finished, click Save.
On the Security headers tab, a box is placed around the X-XSS-Protection checkbox. An arrow points to the XSS setting dropdown menu to select an option (e.g., 0, 1, or 1; mode=block).

X-Content-Type-Options

You can turn on the X-Content-Type-Options header to opt pages out of MIME type sniffing. Enabling this setting tells the browser to follow the MIME types advertised in the Content-Type headers. Learn more about the X-Content-Type-Options header.

  1. In your HubSpot account, click the settings settings icon in the top navigation bar.
  2. In the left sidebar menu, navigate to Content > Domains & URLs.
  3. Click the Actions dropdown menu and select Update domain security settings.
  4. In the right side panel, click the Security headers tab.
  5. To opt pages out of MIME type sniffing, select the X-Content-Type-Options checkbox.
  6. When finished, click Save.

Content-Security-Policy

You can turn on the Content-Security-Policy header to control the resources that the user agent can load on a page. This header helps to prevent cross-site scripting attacks.

  1. In your HubSpot account, click the settings settings icon in the top navigation bar.
  2. In the left sidebar menu, navigate to Content > Domains & URLs.
  3. Click the Actions dropdown menu and select Update domain security settings.
  4. In the right side panel, click the Security headers tab.
  5. To control the resource the user agent can load, select the Content-Security-Policy checkbox:
    • Enter directives in the Policy directives field.
    • To use the Content-Security-Policy header with the web versions of marketing emails, enter unsafe-inline as a keyword described here. Otherwise, styling from the email will be blocked. 
    • To allow <script> elements to execute only if they contain a nonce attribute matching the randomly-generated header value, select the Enable nonce checkbox.
  6. When finished, click Save.

On the Security headers tab, a box is placed around the Content-Security-Policy checkbox. An arrow points to the Policy directives text input field. Followed below by a box placed around the Enable nonce checkbox.

Please note: HubSpot automatically generates a random value on each request for all scripts from HubSpot and all scripts hosted on HubSpot.

The following domains and directives should be included to ensure full functionality on HubSpot-hosted pages:

Domain* Directive(s) Tool
*.hsadspixel.net script-src Ads
*.hs-analytics.net script-src  Analytics
*.hubapi.com connect-src API calls (HubDB, form submissions)
js.hscta.net script-src, img-src, connect-src Calls-to-action (button)
js-eu1.hscta.net (European data hosting only) script-src, img-src, connect-src Calls-to-action (button)
no-cache.hubspot.com img-src Calls-to-action (button)
*.hubspot.com script-src, img-src, connect-src, frame-src Calls-to-action (pop-up), chatflows
*.hs-sites.com frame-src Calls-to-action (pop-up)
*.hs-sites-eu1.com (European data hosting only) frame-src Calls-to-action (pop-up)
static.hsappstatic.net script-src Content (sprocket menu, video embedding)
*.usemessages.com script-src Conversations, chatflows
*.hs-banner.com script-src, connect-src Cookie banner
*.hubspotusercontent##.net (## can be 00, 10, 20, 30, or 40) script-src, img-src, style-src Files
*.hubspot.net script-src, img-src, frame-src Files
play.hubspotvideo.com frame-src Files (videos)
play-eu1.hubspotvideo.com (European data hosting only) frame-src Files (videos)
cdn2.hubspot.net img-src, style-src Files, stylesheets
Your domain connected to HubSpot frame-src, style-src, script-src Files, stylesheets
*.hscollectedforms.net script-src, connect-src Forms (non-HubSpot forms)
*.hsleadflows.net script-src Forms (pop-up forms)
*.hsforms.net script-src, img-src, frame-src Forms, surveys
*.hsforms.com script-src, img-src, frame-src, connect-src, child-src Forms, surveys
*.hs-scripts.com script-src HubSpot tracking code
*.hubspotfeedback.com script-src Surveys
feedback.hubapi.com script-src Surveys
feedback-eu1.hubapi.com (European data hosting only) script-src Surveys

Content-Security-Policy-Report-Only

You can turn on the Content-Security-Policy-Report-Only header to monitor policy directives. Policy directives won't be enforced, but the effects will be monitored, which can be useful when experimenting with policies. Learn more about the Content-Security-Policy-Report-Only header.

  1. In your HubSpot account, click the settings settings icon in the top navigation bar.
  2. In the left sidebar menu, navigate to Content > Domains & URLs.
  3. Click the Actions dropdown menu and select Update domain security settings.
  4. In the right side panel, click the Security headers tab.
  5. To turn on this header, select the Content-Security-Policy-Report-Only checkbox, then enter your Policy directives.
  6. To allow <script> elements to execute only if they contain a nonce attribute matching the randomly-generated header value, select the Enable nonce checkbox.
  7. When finished, click Save.

On the Security headers tab, a box is placed around the Content-Security-Policy-Report-Only checkbox. An arrow points to the Policy directives text input field. Followed below by a box placed around the Enable nonce checkbox.

Referrer-Policy

You can turn on the Referrer-Policy header to control how much referrer information should be included with requests. For a definition of the available directives, see Mozilla's Referrer-Policy guide.

  1. In your HubSpot account, click the settings settings icon in the top navigation bar.
  2. In the left sidebar menu, navigate to Content > Domains & URLs.
  3. Click the Actions dropdown menu and select Update domain security settings.
  4. In the right side panel, click the Security headers tab.
  5. To control how much referrer information should be included in requests, select the Referrer-Policy checkbox, then click the Directive dropdown menu, and select an option.
  6. When finished, click Save.

On the Security headers tab, a box is placed around the Referrer-Policy checkbox. An arrow points to the Directive dropdown menu to select an option.

Permissions-Policy

You can turn on the Permissions-Policy header to control the use of browser features on the page, including <iframe> element content.

  1. In your HubSpot account, click the settings settings icon in the top navigation bar.
  2. In the left sidebar menu, navigate to Content > Domains & URLs.
  3. Click the Actions dropdown menu and select Update domain security settings.
  4. In the right side panel, click the Security headers tab.
  5. To control the use of browser features, select the Permissions-Policy checkbox, then enter your Directives. For a list of directives, see Mozilla's Permissions-Policy guide.
  6. When finished, click Save.

On the Security headers tab, a box is placed around the Permissions-Policy checkbox. An arrow points to the Directives text input field.
Was this article helpful?
This form is used for documentation feedback only. Learn how to get help with HubSpot.
Table of contents Menu

Related content

New to HubSpot? Use these guides to get started.