Search the Community

Site URL: https://www.havenconnect.com currently squarespace does not allow adding HSTS directives like `includeSubDomains` or `preload`, and they don't allow modifying the `max-age` directive to a year or more. based on my understanding of HSTS, this prevents domains using squarespace from being eligible for preloading. more info here: https://scotthelme.co.uk/hsts-preloading/ i'm not a security expert so my first question is this: am i correct in understanding squarespace's HSTS implementation does not force all users to HTTPS? second question: if my understanding is correct, does squarespace plan to address this security flaw/vulnerability? and if so, when? thanks!

Site URL: http://www.cellerantconsulting.com Hello, I am getting at the top of our website URL - "Not secure - cellerantconsulting.com". How do I fix that? Thank you, Stephanie

Site URL: https://goexp.ss.gologic.ca Hi, Im trying to protect content from being public and accessible only for our organisation. I have tried member space but was unable to create membres manually. I found out that with a password protected site this could be done by having OAuth organisation authentication. After a successufull OAuth authentication we could authenticate with password via the api and redirect to hour squarespace site. I found out that this is done with cookie: crumb and Locked Is there a way to be able to bypass password page with parameters instead of cookie? Cookies are associated domain and therefore impossible to mix with our home made auth application. Is there a feature that enable us to do something like that: http://[square space domain]?crum=[crumb]&Locked=[Locked] Thanks

I am an insurance agent and Ive created a website that potential customers use to and enter their personal information for an auto or home quote. Several of my companies require a social security number in order to get an accurate quote. Is it safe and legal to ask for the customers social?

Site URL: https://securityheaders.com/ Hi, Square Space Support has directed me to the forum. Just wondering if anyone has been successful in adding in security headers to a square space site. If you scan with the above url you will see the missing headers. Support recommended injecting html but that is a client side solution to a server side requirement. After looking into this one in more detail it looks like none of those techniques will work as they are client-side rather than server-side. Chrome, for example, will ignore x-frame-options when it's in a meta tag and so we would expect that a bad actor or script would do the same thing. Here is a summary of the problem with fixes: https://security.stackexchange.com/questions/167081/how-to-add-x-frame-options-header-to-a-simple-html-file It seems the only way to set these headers as to affect security is to apply at the server level. On apache/wordpress we just use the functions file to hook in before page load and set the headers. Does squarespace have a way to do something similar? is there anything that you recommend we try aside form the client side links provided? Happy to help troubleshoot or explain in more detail.

I am a designer and am making a new site to house my portfolio. I need to ensure that the only way someone could find/view my content is if I have provided them with my URL and password to enter the site. The company I work for restricts what work can be shared with the public, even if it wasn't considered confidential information. I am also concerned with folks downloading or pulling the images off of my site. Are there ways to prevent that? Any help is appreciated!

Site URL: http://www.studioblanc.co.nz/ I have recently just set up my website and see that when people go to purchase a product it says not secure etc etc as well as having that in the URL so I have made sure all the SSL is right on the website and it still says processing- I am aware it can take up to 72 hours buuuuuut... I transfered the domain that I had already purchased to Squarespace (though nothing was ever set up for this is was just simply a domain to ensure no one else brought it) will this still work or do I need to do some other stuff?

I have already raised this issue with Squarespace Customer Care (Support Request #4378187) over 24 hours ago but no response whatsoever as yet. "Live Chat" seems to be permanently closed? Google no great help to this stage. I thought/hoped perhaps somebody here may have had a similar experience? We have been advised by a coporate client that visiting our well established Squarespace site is triggering a Firewall Alert/block. Context of the specific Alert is below. The firewall alert is being detected by Fortigate (https://www.fortinet.com/products/next-generation-firewall.html) IP 198.185.159.144 is Squarespace. Whilst this may well be a false positive, the alert of virus="FormBook" is a serious concern: https://www.symantec.com/security-center/writeup/2019-020107-5257-99 https://fortiguard.com/encyclopedia/botnet/7630314 <----------------ALERT---------------> Message meets Alert condition File Block Detected: Protocol: Email Address From: Email Address To: date=2019-08-28 time=11:34:13 devname=FG201ETK18900821 devid=FG201ETK18900821 logid="0202009249" type="utm" subtype="virus" eventtype="botnet" level="notice" vd="root" eventtime=1566956052 msg="Botnet C&C Communication." action="monitored" sessionid=762300281 srcip=192.168.250.131 dstip=198.185.159.144 srcport=57804 dstport=80 srcintf="port4" srcintfrole="dmz" dstintf="wan1" dstintfrole="wan" proto=6 direction="outgoing" virus="FormBook" dtype="ip-reputation" ref="http://www.fortinet.com/be?bid=7630314" virusid=7630314 crscore=50 crlevel="critical"

Site URL: https://www.ausliebezumhaustier.de Hi, i think a lot of people have the same challenge here with implementing GDPR or CCPA. Anybody with a good, working and cost-effective (or free) tool? I've tried Google https://fundingchoices.google.com/p/d2c40879b32a7b93/ (Free) Quantcast Choice https://www.quantcast.com/ (Free) Cookie First http://www.cookiefirst.com (Paid) Nothing is working for me (f.e. Outbrain is firing without consent on all three) Any suggestions? Any experience with Cookie Consent Cookie Control OneTrust Cookiebot Cookie Consent Kit Thanks Jan

Hi, If I want to obtain health information of a client, can I make sure that it's secure through squarespace? I saw this article: https://support.squarespace.com/hc/en-us/articles/360028867231-Squarespace-and-HIPAA but I can't tell if this is only for the scheduling tool; and even if I do subscribe to Scheduling, is signing a BAA sufficient? Thanks in advance

I've currently drafting/creating a Cookie Banner for GDPR reasons, and was wondering if it's possible to add an 'X' button to close/ignore the pop up should users not wish to give consent? I can't seem to find any other style adjustments for this purpose. You can see from the screen shot that I'm trying to use the Cookies banner to allow the website user to give consent to analytic cookies + data collected via contact forms, where analytic data is turned off by default, but it would be helpful if there was a 'close banner' button if users did not want to give this type of consent and to 'hide' the banner, so to speak. I realise this is somewhat of a work around instead of using a third party app/code to create a more detailed GDPR banner, but nonetheless I was wondering if this was possible, and/or if anyone had any other genius solutions/examples that have worked for them. Any advice would be super helpful and much appreciated :) Thanks in advance J.

Does anyone know how to block our URL in specific countries? Specifically, all of Asia and all of the Middle East. We're going through GoDaddy, but they can only block individual IP addresses, not entire countries. We run a charity in Asia and can't have our website being accessed there. Is anyone able to help, or know of someone we could hire, please? Thanks!

I keep getting this message of late: Error Saving: Your changes conflict with a newer version of this document. Your changes here will not be saved. According to Squarespace, it's due to multi-contributors or the same page opened elsewhere. But I don't have co-contributors and I don't have another page open. Is this pointing to a security hack? Or is this a wonky Squarespace thing?

Site URL: https://secondchanceagency.com/ Hubspot website grader says that java script libraries on the site are not up to date and need to be updated with security patch. What do I do to update this?

Site URL: https://fullfill.coach Hi all, Hoping someone can help as the attached message shows when accessing my site from another computer. I haven't messed with any SSL settings, and so it was already set to 'Secure'. Reading through Troubleshooting guidelines, I'm assuming it's because I have used Custom Code on the site? I would really appreciate it if someone can take a look for me? PW - fullfill Thank you!

How can I prevent someone from scraping my content and display it in another site?

Hey, quick question. My client bought as SSL form third part providers and she wants me to connect it to the SQ website. I forgot to tell her that SQ space has SSL included. So my questions is: - Can I connect it to SQ Space (https://www.names.co.uk/ssl) - Is there any difference between SQ space SSL and https://www.names.co.uk/ssl ? Is one better than the other? Any difference? - I want to suggest to my client to stick to SQ space SSL and don't bother with third party provider? What you think? I have no knowledge how the SSL protocols work. Thank you.

Site URL: https://www.merze-lifestyle.com I would like to block an IP address from entering into my website but I am on Squarespace 7. Is there custom code that needs to be created? Or do I need a third party application to achieve this? I am not a coder and so I would need to have help if custom coding is required. Thank you, Mary

In February, I asked about the ability to add security headers to a Squarespace site (e.g. XSS protection). I was told this was not currently supported and would need to be requested as a new feature. Support chat = https://support.squarespace.com/hc/en-us/requests/new?ticket_form_id=360000388052 Subsequently, I've seen a reference to the ability to add headers in Settings | Advanced | Header (linked below). Please could you confirm whether this function will support the use of security headers on the infrastructure managed by Squarespace. Many thanks

Site URL: http://bitstop.ca I was notified by Google today of a vulnerability on my website. On more investigation I found that the vulnerability is in the squarespace re-direct engine on the old versions of squarespace. http://bitstop.ca/process/Redirect?url=http://ministeriobetinho.com.br/popup_image1/screenshots.php/kpw/dvq/?island=ed1tvc0qq5v9fy5 You can see the above re-direct sends to an ad site and you can edit the url to really go anyplace you like. I reached out to Squarespace but wonder if anyone else has seen this issue or is aware of it?

Some images on a website that has an SSL certificate are still displaying as http instead of https, thus causing those webpages to display as 'not secure' by Google. Is there an easy way to switch over all images on a site like this so that they are https instead?

Hi all, I have an acquaintance who's wondering if there are any site builders or publishing platforms that don't use cookies on the user-facing end of the site. She doesn't need user membership features, so that shouldn't be a problem. Is there any way to build a Squarespace Site that doesn't need cookies? And is there any way to do it while still getting some basic analytics? Any help would be much appreciated.

Hey whats going on ya'll I'm running a content site dedicated to fitness and nutrition science I sell a product by monthly suscription - Essentially I release 5 new workouts every month to suscribers for different purposes. While squarespace does let you sell digital products with a secure link, you can't do it with suscriptions What would be the best way for me to go about doing this in a way that keeps my digital product secure? Thank you

Microsoft Security Essentials blocking website in Internet Explorer due to video banner from Youtube.

I would like to create a password login followed by a data form which will generate a code to get into my site How do i go about doing this?