Ecommerce SSL Security: Beyond the Padlock Icon
SSL is more than a padlock. Learn about TLS versions, certificate types, mixed content, HSTS, and the security configurations that protect your store and boost SEO.
Every ecommerce store needs SSL. That's settled. But "having SSL" is a spectrum — the padlock icon in the browser bar doesn't tell you whether your configuration is actually secure, whether you're leaking data through mixed content, or whether your certificate will expire next week without anyone noticing.
TLS Version Matters
SSL is actually dead — we use TLS (Transport Layer Security) now. The version matters:
- TLS 1.0 and 1.1: Deprecated. Known vulnerabilities. Major browsers have dropped support. If your server still accepts these, you're running an insecure connection.
- TLS 1.2: Current standard. Secure when configured with strong cipher suites. This is the minimum your store should support.
- TLS 1.3: Latest version. Faster handshake (one round trip instead of two), stronger default ciphers, no support for legacy weak algorithms. Prefer this.
Check yours: Use StoreVitals' free SSL checker to see which TLS versions your server supports and whether it's using strong cipher suites.
Certificate Types
Domain Validation (DV)
Proves you own the domain. Free from Let's Encrypt, included with most hosting. Sufficient for most stores. The padlock looks identical to more expensive certificates.
Organization Validation (OV)
Verifies your business exists. Costs $50-200/year. Shows company name in certificate details (not in browser UI anymore). Provides slightly more trust for B2B stores.
Extended Validation (EV)
The most thorough verification. Used to show a green bar with company name in browsers — that's been removed by all major browsers. Now functionally identical to OV in terms of visible trust signals. Not worth the $200-500+/year for most stores.
Recommendation: Use DV certificates from Let's Encrypt (free, auto-renewing) unless you have specific compliance requirements that mandate OV.
The Mixed Content Problem
Mixed content is the most common SSL issue on ecommerce stores. It happens when your HTTPS page loads resources (images, scripts, stylesheets) over HTTP. The browser partially breaks encryption and may show a warning.
Common sources of mixed content on ecommerce sites:
- Product images uploaded before HTTPS migration with hardcoded http:// URLs
- CDN assets configured with HTTP origins
- Third-party scripts loaded via http:// (review widgets, chat tools, analytics)
- Embedded content from external sources (YouTube embeds, social feeds)
- CSS backgrounds referencing HTTP image URLs
Fix: Run a full-site scan to find mixed content. Update all resource URLs to HTTPS or use protocol-relative URLs (//example.com/image.jpg). Add a Content-Security-Policy header with upgrade-insecure-requests as a safety net.
HSTS: Force HTTPS Everywhere
HTTP Strict Transport Security (HSTS) tells browsers to always use HTTPS for your domain, even if someone types http:// or clicks an HTTP link. Without HSTS, the first request to your site could be intercepted on an insecure connection before the redirect to HTTPS kicks in.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadThis header tells browsers: "For the next year, never connect to this domain over HTTP. Include all subdomains. Add me to the browser preload list."
Warning: Don't add preload until you've tested thoroughly. Once you're on the HSTS preload list, it's difficult to remove, and any subdomain that doesn't support HTTPS will break.
Certificate Expiration Monitoring
Let's Encrypt certificates expire every 90 days. If auto-renewal breaks (and it does — server changes, DNS updates, permission issues), your store goes down with a scary browser warning that says "Your connection is not private." No customer is buying through that.
Monitor certificate expiration dates. Set up alerts for 14 days before expiry. StoreVitals checks SSL certificate validity and expiration as part of every automated scan, so you'll know before your customers do.
HTTP to HTTPS Redirect
Your server should 301 redirect all HTTP requests to HTTPS. This is separate from HSTS — the redirect handles the first visit and crawlers, while HSTS handles subsequent browser visits.
Test all four URL variations:
http://yourstore.comhttp://www.yourstore.comhttps://yourstore.comhttps://www.yourstore.com
All four should resolve to a single canonical URL with no more than one redirect hop.
Security Headers That Complement SSL
SSL encrypts the connection, but other security headers protect against attacks that encryption alone can't prevent:
- Content-Security-Policy: Prevents XSS attacks by controlling which sources can load scripts, styles, and other resources
- X-Frame-Options: Prevents clickjacking by blocking your site from being embedded in iframes
- X-Content-Type-Options: Prevents MIME type sniffing attacks
- Referrer-Policy: Controls how much referrer information is shared with other sites
- Permissions-Policy: Controls which browser features (camera, microphone, geolocation) your site can access
Use our free security headers checker to see which headers your store is missing, and run a full StoreVitals scan to get a complete security assessment alongside your SEO and performance health checks.