What SSL Is — In Plain English

When you visit a website, your browser and that website's server exchange information. Without encryption, that information can be intercepted. SSL (Secure Sockets Layer) — technically now TLS, though most people still say SSL — is the protocol that encrypts that connection.

You can tell whether a site has SSL by looking at the URL. Sites with SSL start with https://. Sites without it start with http://. Modern browsers display a padlock icon for HTTPS sites and often a visible warning for HTTP sites.

For nonprofits, SSL is not optional. It affects donor trust, SEO rankings, form security, and in some cases legal compliance.

Why SSL Matters for Nonprofit Websites Specifically

Donor and Beneficiary Trust

When someone is about to enter their card details or share sensitive personal information — as they might when donating or seeking support through your website — browsers actively warn them if the connection isn't secure. A browser warning on a donation page is close to a conversion-killing event. Even on pages that don't handle sensitive data, the absence of HTTPS signals to visitors that the site may not be properly maintained.

SEO

Google has used HTTPS as a ranking signal since 2014. It's a small signal compared to content quality and backlinks, but it's a free gain and its absence is actively penalising. There's no reason to leave it off the table.

Form Security

Any form on your website — contact forms, newsletter signups, event registrations — transmits data between your visitor's browser and your server. Without SSL, that data travels unencrypted. For nonprofits collecting any kind of personal data, this is a GDPR concern as well as a trust concern.

Browser Behaviour

Modern browsers — Chrome, Firefox, Safari, Edge — actively flag HTTP sites as "Not Secure." Some browsers now block certain functionality on non-HTTPS pages. This behaviour is only getting stricter over time.

SSL in Webflow: What's Automatic and What Needs Attention

Webflow Subdomain Sites

If your site is hosted on a Webflow subdomain (yoursite.webflow.io), SSL is automatically provisioned and managed by Webflow. You don't need to do anything.

Custom Domain Sites

When you connect a custom domain to Webflow, SSL is automatically provisioned via Let's Encrypt once the DNS is correctly configured. This happens in the background after you've pointed your domain's DNS records to Webflow.

For DNS setup guidance, see my guide on connecting a custom domain to Webflow.

The key things to verify:

• DNS is correctly configured (A record or CNAME pointing to Webflow)
• Webflow has had time to provision the certificate (usually a few hours after DNS propagation)
• Both www and non-www versions of your domain are covered
• HTTP redirects to HTTPS automatically (Webflow handles this once SSL is active)

When SSL Doesn't Provision Correctly

Occasionally SSL provisioning fails or takes longer than expected. Common causes:

• DNS propagation hasn't completed yet (allow up to 48 hours)
• CAA records on your domain are blocking Let's Encrypt (check with your DNS provider)
• The domain was recently transferred and has a propagation hold

In Webflow, you can check SSL status in your site settings under the Hosting tab. If there's an issue, the interface will show an error and you can try to re-provision.

Mixed Content: The Problem That Undermines SSL

Mixed content is what happens when an HTTPS page loads resources — images, scripts, stylesheets — over HTTP. Even with SSL correctly installed, mixed content breaks the security of the page and browsers may show warnings or block the insecure resources.

Mixed content most commonly occurs when:

• Images are embedded using absolute HTTP URLs rather than HTTPS
• Scripts from third parties are loaded via HTTP
• Embedded content (maps, videos, forms) uses HTTP src attributes

To check for mixed content issues, open Chrome DevTools (F12), go to the Console tab, and look for mixed content warnings. Fix them by updating resource URLs to HTTPS, or by removing HTTP resources and replacing with HTTPS equivalents.

SSL for Custom Form Embeds and Third-Party Tools

Many nonprofits embed third-party tools — donation platforms, CRM forms, event registration systems. If those tools themselves are served over HTTP, embedding them on your HTTPS Webflow site creates mixed content.

Check that any embedded scripts, iframes, or form endpoints use HTTPS. Reputable third-party platforms should all be HTTPS by default now, but it's worth verifying — particularly for older integrations or less mainstream tools.

For embedding donation forms specifically, see my guide on embedding donation forms in Webflow.

SSL and GDPR

GDPR requires that personal data be protected with appropriate technical measures. While GDPR doesn't specifically mandate SSL, any collection of personal data over an unencrypted connection would likely be considered inadequate protection. For nonprofits collecting supporter data, beneficiary information, or any other personal data through website forms, SSL is a baseline requirement, not an optional extra.

Checking Your SSL Status

Several free tools will tell you whether your SSL certificate is correctly installed and configured:

• SSL Labs (ssllabs.com/ssltest): Comprehensive SSL test that grades your certificate and configuration
• Why No Padlock (whynopadlock.com): Specifically checks for mixed content issues
• Browser padlock: Click the padlock icon in your browser address bar for basic certificate information

For Webflow-hosted sites, these checks are mostly verifying that Webflow has done what it should automatically. They're useful for confirming everything is working as expected, particularly after a domain migration or DNS change.

SSL on the Pre-Launch Checklist

SSL verification is one of the items on the nonprofit website pre-launch checklist. Specifically:

• SSL certificate active and no browser warnings
• Both www and non-www resolve to HTTPS
• No mixed content warnings in browser console
• HTTP to HTTPS redirect confirmed

For most Webflow sites with correctly configured DNS, all of this should be automatic. The checklist items exist because "should be automatic" isn't the same as "definitely is" — and discovering an SSL issue after launch is worse than discovering it during testing.

If you're preparing for a site launch and want a comprehensive review of your technical foundations, the Blueprint Audit covers SSL, DNS configuration, and other technical prerequisites as part of a full site assessment.