SSL ensures that any data on your site is encrypted, and your students won’t have to worry about the security of their information. This article goes over some basic information on SSL, how it works to secure your Teachable school, and how to troubleshoot mixed content errors.
Overview
A Secure Sockets Layer (or SSL) is a standard security protocol that encrypts any data shared between a web browser and web server. A secure connection ensures that any data taken from a site is confidential.
In order to create an SSL connection, an SSL certificate is needed. This allows the web browser to establish a secure connection to the web server. For any school created after October 16, 2017, Teachable will automatically create an SSL certificate on your behalf. This means that no further action is needed to create an SSL certificate once you create your school.
A secure connection is indicated by the website's URL being prefixed with "https" instead of "http", and by a visual indicator on the web browser's address bar (usually a padlock). The screenshot below is an example of how Google Chrome indicates a secure connection:
By providing free SSL on all pages within a school (for both Teachable and custom domains), we’re giving you the following benefits:
- Security - If you have a site that is not HTTPS-enabled, students may be greeted with a warning from their browser that the site they are trying to access is insecure. Once SSL is enabled and you secure your site, your students can rest assured that they are free to participate in your course's without the fear of having their information stolen.
- SEO - Google has announced that they will take site security into account when ranking websites on a search engine. When your school has SSL enabled on every page, it will rank higher on search engine results and be seen by more people.
CAUTION: When using a Teachable subdomain, SSL applies to one level of subdomains (e.g. schoolname.teachable.com). Adding a multi-level domain (e.g. www.schoolname.teachable.com) will display an error message.
Mixed content (HTTP vs. HTTPS) and potential issues
In some cases, you may notice browser warnings when visiting your site, or some of your content may not display properly. The usual reason for this is “mixed content”—in other words, your site is trying to load both HTTPS and HTTP content. For instance, you may have embedded an image or video from a non-SSL-enabled webpage.
To better understand mixed content, see this blurb from Google's support documentation on mixed content:
Mixed content occurs when initial HTML is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS. Modern browsers display warnings about this type of content to indicate to the user that this page contains insecure resources.
If you've used HTML code to embed content within your school, it's possible that some of your pages have mixed content. If your site is secure (HTTPS), but your content is insecure (HTTP), there will be a conflict between the two.
NOTE: Some areas where mixed content could occur include the Power Editor, Code Snippets, and custom HTML blocks. To see where mixed content may exist within your school, use this tool created by JitBit to go through your HTTPS site and search for any insecure content. However, please note that this tool may not catch all instances of mixed content in your school.
For example, if you've embedded an image into your secure (HTTPS) sales page by adding the following HTML code:
<img src="http://imageexample.com/puppy.jpg">
Your web browser will warn you that the page is not secure. This is because the image is taken from an insecure URL (as indicated by the HTTP). Your web browser cannot declare the page secure, because the browser is trying to load insecure data (the image) over a secure connection (the HTTPS-enabled sales page).
To fix this, ensure that all content on a secure page is using an HTTPS URL. If you have content that it is using an HTTP URL, you'll have to get a new HTTPS URL for the content and use that instead. Another option is to directly upload the content through Teachable, as this will ensure the content is secure (if you have SSL enabled).
Learn more about handling mixed content on your website:
Custom domains and SSL
Teachable issues SSL certificates for custom domains and custom subdomains once they are added to the Site > Domains menu.
When a custom domain is added to your Teachable site, you might receive a message that your SSL certificate is still generating. SSL certificates can take up to 30 minutes to generate once the domain is added to your Site > Domains menu.
If your custom domain has not been verified after 30 minutes, please review our Knowledge Base article on custom domains to ensure that your DNS records were set up correctly. If any changes are made, remove and re-add the domain to your Site > Domains menu to re-generate the SSL certificate.
Schools created prior to 10/16/17
SSL was made available for all Teachable pages on October 16, 2017. Schools created prior have a button to turn SSL security on or off within their Settings > General > SSL Security menu. For schools with this option, we strongly recommend keeping SSL Security enabled.