Squarespace Security Checklist: What's Managed vs What's Yours

Squarespace Security Checklist: What's Managed vs What's Yours

Squarespace security is, by design, largely invisible to the site owner. The platform handles SSL, hosting hardening, DDoS mitigation, and automatic HTTPS redirects without requiring any configuration. This simplicity is a feature — but it also creates a false sense of complete security. There are meaningful gaps, and knowing where the platform's responsibility ends and yours begins is the foundation of a secure Squarespace presence.

Check your site's security right now: Free ZeriFlow scan →

What Squarespace Manages For You

Before covering the gaps, it's worth being explicit about what Squarespace's managed infrastructure genuinely handles:

SSL/TLS certificates: Squarespace automatically provisions and renews SSL certificates for all custom domains via its CDN infrastructure. There's no expiry risk and no manual renewal process.

HTTPS enforcement: All Squarespace sites redirect HTTP traffic to HTTPS automatically. This is not configurable — it's always on.

DDoS mitigation: Squarespace's CDN (Fastly-powered) includes DDoS mitigation at the infrastructure layer.

Platform updates: Squarespace's CMS code, server software, and dependencies are updated by Squarespace. Unlike WordPress, you're not responsible for patching the platform.

PCI DSS for payments: Squarespace Commerce and Squarespace Payments are PCI DSS compliant for payment processing. Squarespace handles card data; you don't touch it.

Physical security: Data center physical security, access controls, and redundancy are Squarespace's responsibility.

This is a substantial list. For many businesses, particularly small ones without dedicated security resources, Squarespace's managed approach represents a significant risk reduction compared to self-hosted alternatives.

The Gaps: What You Still Control

The managed model removes infrastructure complexity but leaves several security layers in your hands.

Security headers: Squarespace does not allow merchants or designers to configure custom HTTP security headers. The headers returned by a standard Squarespace site include functional basics but often lack a Content-Security-Policy, a meaningful Permissions-Policy, and sometimes a properly configured Strict-Transport-Security.

Run a ZeriFlow scan on any Squarespace site and you'll likely see several missing headers. This is a platform limitation, not a configuration error — and it's worth understanding so you can make an informed decision about mitigation options (more on this below).

Third-party script security: Every code block, custom code injection, and third-party integration you add (Google Analytics, Hotjar, Facebook Pixel, chat widgets) introduces external JavaScript into your pages. Squarespace cannot control what those scripts do, and without a strong CSP, a compromised third-party script has full access to your page DOM, including any visible sensitive data.

Account security: Squarespace secures their infrastructure, but the security of your Squarespace account login is your responsibility.

Email security (DMARC/SPF/DKIM): Squarespace does not automatically configure email authentication records for your domain. Transactional emails (order confirmations, member notifications) can be spoofed without proper email security DNS records.

Two-Factor Authentication for Your Account

Your Squarespace account controls the entirety of your website and, if you're using Squarespace Commerce, your customer and order data. Account takeover is the highest-risk threat for most Squarespace users.

Enable 2FA:

1. 1Go to Account Settings (click your name in the Squarespace dashboard top navigation).
2. 2Navigate to Account and Security → Two-Factor Authentication.
3. 3Choose an authenticator app (Google Authenticator, Authy, 1Password) rather than SMS. SMS is vulnerable to SIM-swap attacks.
4. 4Save your backup codes in a secure location (password manager).

If you have contributors or staff:

All users with access to your Squarespace site should have 2FA enabled on their Squarespace accounts. Squarespace does not allow owners to force-require 2FA for all contributors (as of 2026), so this requires an organizational policy rather than a platform enforcement.

Remove contributor access promptly when someone leaves your organization.

Run a free ZeriFlow scan → — while you're auditing account security, run a scan to see the external security posture of your site.

DMARC and Email Authentication for Squarespace

Squarespace handles transactional email for Commerce (order confirmations, shipping notifications) via its own infrastructure. If you've connected a custom sender domain, your DMARC configuration determines whether attackers can spoof your domain to phish your customers.

Check your current DNS configuration:

Add a DMARC record:

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100"

Start with p=quarantine and monitor the aggregate reports (sent to your rua email). After 2-4 weeks of reviewing legitimate sending sources, advance to p=reject for full protection.

ZeriFlow checks DMARC, SPF, and DKIM alignment as part of its DNS security module.

Handling Custom Header Limitations

Since Squarespace doesn't expose server-side header configuration, your options for adding security headers are:

Option 1: Cloudflare proxy

Point your DNS to Cloudflare (in proxied/orange cloud mode). Use Cloudflare's Transform Rules to add response headers on every request passing through the proxy. This is the most robust approach and adds Cloudflare's additional WAF, bot management, and analytics capabilities.

Option 2: Accept the limitation and mitigate elsewhere

For purely content-marketing sites with no user accounts and no sensitive data, the absence of headers like Permissions-Policy may be an acceptable risk. Document the decision, monitor for third-party script compromises, and regularly audit what external scripts are loaded.

Option 3: Domain-level migration

If security header requirements are critical for your use case (regulated industry, handling sensitive data, GDPR compliance requirements), consider whether Squarespace's platform limitations justify migrating to a platform with header control (Webflow + Cloudflare, Next.js on Vercel, etc.).

SSL Certificate and TLS Configuration Audit

Squarespace's automatic SSL handles certificate provisioning, but the TLS configuration — supported cipher suites, TLS versions, certificate chain — is determined by Squarespace's CDN (Fastly).

What to verify externally:

• TLS 1.0 and 1.1 should not be supported (deprecated). Squarespace's CDN has disabled these, but verify with your scanner.
• The certificate chain should be valid and complete (no missing intermediate certificates).
• The certificate should cover both yourdomain.com and www.yourdomain.com (check your Squarespace domain settings if you use a non-www primary domain).
• Certificate expiry should be well in the future (Squarespace auto-renews, but verify after any recent domain transfer).

Backups: Squarespace's Approach and Its Limits

Squarespace maintains infrastructure-level backups of its platform. However, these are not accessible to you for content restoration — they exist for Squarespace's disaster recovery, not yours.

What you can back up:

• Content: Use Squarespace's Export feature (Settings → Advanced → Export) to export your site content to a WordPress XML format. This captures pages, blog posts, and some commerce data.
• Product catalog and orders: Export your Squarespace Commerce product catalog and order history as CSV from the Commerce dashboard.
• Google Drive / Dropbox backups: Some third-party services offer automated Squarespace content backups.

Run exports quarterly, or before any major site restructuring. Store exports in an external location (not just your Squarespace dashboard).

FAQ

### Q: Does Squarespace automatically enforce HTTPS? A: Yes. Squarespace enforces HTTPS on all custom domains and handles SSL certificate provisioning and renewal automatically. You cannot disable HTTPS on a Squarespace site.

### Q: Can I add a Content Security Policy header to my Squarespace site? A: Not via Squarespace's built-in tools. The only way to add a true HTTP CSP header is to route your traffic through a proxy like Cloudflare and inject the header there. You can add a <meta> CSP tag via Squarespace's custom code injection (Settings → Advanced → Code Injection), which provides partial coverage.

### Q: How do I know if my Squarespace site is secure? A: Run an external security scan with ZeriFlow. It checks your TLS configuration, HTTP security headers, DNS records (SPF, DKIM, DMARC), and cookie security — giving you an objective view of what's configured correctly and what's missing, from an attacker's perspective.

### Q: Is Squarespace Commerce PCI compliant? A: Yes. Squarespace Commerce and Squarespace Payments are PCI DSS Level 1 certified for payment processing. Your customers' card data is processed and stored by Squarespace, not on your site. This is one of the significant security advantages of using a fully managed platform.

### Q: What should I do if I think my Squarespace account has been compromised? A: Immediately change your password, revoke all active sessions (Account Settings → Security → Sign out all devices), disable any contributors who may have been involved, contact Squarespace support, and enable 2FA if you haven't already. Review recent content and settings changes in the activity log.

Conclusion

Squarespace's managed platform genuinely handles most of the infrastructure security work that would otherwise fall to you. That's its core value proposition. The remaining responsibilities — account security (2FA), email authentication (DMARC), backup strategy, third-party script hygiene, and the header limitations — are worth addressing systematically.

The fastest way to understand your current security posture is an external scan that checks exactly what an attacker sees.

Run a free ZeriFlow scan → — 60 seconds, no credit card.