KB Pre-launch SSL / domain / DNS cutover

SSL / domain / DNS cutover draft

Provisioning SSL, enforcing HTTPS + HSTS, and pointing a production domain at the site — per platform.

Use this when

Connecting a custom domain to a HubSpot or Webflow site, or moving a live domain to a new build.

Definition of done

Production domain serves over HTTPS with a valid cert, HTTP/non-canonical hosts redirect, HSTS is set, and a CSP header is in place.

HubSpot

  1. Connect the domain — HubSpot auto-provisions a SAN SSL cert via Google Trust Services. Active within minutes (up to ~4h); auto-renews 30 days before expiry while the CNAME points to HubSpot.
  2. TLS 1.2+ is accepted by default; raise the minimum TLS version in domain settings if required.
  3. Enable HTTPS enforcement and HSTS (max-age, optional preload, include-subdomains) — requires Super Admin / Domain settings permission.
  4. Set security headers in domain settings: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.

Webflow

  1. SSL is handled by Webflow hosting; confirm HTTPS is enforced in site settings.
  2. For custom response headers (CSP/HSTS), front the site with a proxy (e.g. Cloudflare) — Webflow hosting does not expose arbitrary header config. verify

Gotchas

HubSpot Custom SSL lets you upload your own cert, but a pre-existing certificate can't be reused — it compromises the cert's security.

Add preload to HSTS only deliberately — it's hard to undo and is browser-cached for the full max-age.

Why & sources

From HubSpot SSL/domain-security docs and the platform research: Web security for client sites.