As cyber threats become increasingly sophisticated, the security of web platforms like Squarespace is a critical concern for anyone managing an online presence. Squarespace provides a range of security features, such as SSL certificates and robust server protection, but how does Squarespace stack up against industry standards and what more can be done to secure your site?

In this analysis, I'll explore the built-in security measures Squarespace offers and assess their effectiveness in protecting your online presence.

I'll also discuss steps you can take as a site owner to further enhance your Squarespace site's security.

• Enable Clickjack Protection: If your Squarespace site was created before September 2021 this setting will be disabled unless you have enabled it. Clickjack protection is enabled by default on Squarespace sites created since September 2021. This setting helps prevent malicious attempts to overlay your website with hidden frames that deceive users into clicking on something different than they think they are clicking.

• Enable 2FA Authentication: Two-factor authentication adds an extra layer of security by requiring a second form of verification in addition to your password.

• Check Your SSL Settings: SSL is enabled by default on Squarespace sites but there is an option to disable it. Ensure that SSL certificates are properly enabled for all your domains to secure connections and protect data transfers.

• Regularly Review Site Contributors and Their Permission Levels: Many security breaches come from disgruntled ex-employees who still have access to website admin systems. Manage access control diligently by reviewing who has access to your website and adjusting their permissions as necessary to ensure that only the appropriate individuals have the right levels of access.

How to enable clickjack protection

• While logged in to your Squarespace site navigate to Settings -> Developer Tools -> Website Security

• Ensure that clickjack protection is enabled (green)

How to enable 2FA authentication

To enable two-factor authentication (2FA) on your Squarespace account, follow these steps:

1. Access Security Settings:

   • Navigate to the Home Menu, select "Settings", and then click on "Security & Login".

2. Set Up Two-Factor Authentication:

   • Under "Two-Factor Authentication", click on "Enable".

3. Choose an Authentication Method:

   • You can choose to set up 2FA using an authenticator app (like Google Authenticator or Authy) or via text message (SMS).

4. Authenticate Using Your Chosen Method:

   • If using an app, scan the QR code with your app to link it to your Squarespace account. The app will then generate a code to enter on the site.

   • If using SMS, enter your phone number, and Squarespace will text you a code to use for setup.

5. Backup Codes:

   • After setting up 2FA, Squarespace provides backup codes. Store these codes in a safe place as they can be used to access your account if your primary 2FA method is unavailable.

For detailed guidance and visuals on each step, you can refer to Squarespace's official support page on the subject here.

How to check your SSL settings

• While logged in to your Squarespace site navigate to Settings -> Developer Tools -> SSL

• Ensure that Secure (Preferred) is selected and that HSTS Secure is ticked.

How to review and optimise permission levels for site contributors

• Go to Settings -> Permissions and Ownership and Review INVITES SENT and CONTRIBUTORS

  • INVITES SENT lists people who you invited to contribute but have not responded. Remove their invitation if you no longer want them to access the site.

    • Click the invitee’s name

    • On the next screen click the three dots to the right of their name

    • Click CANCEL INVITE

  • CONTRIBUTORS are people who currently have access to the site admin.

    • Remove any contributors who no longer need site access, such as ex-employees

      • Click the contributor’s name

      • On the next screen click the three dots to the right of their name

      • Click REMOVE CONTRIBUTOR

    • Remove all permissions for contributors who do not need site access now but might do in future, like agency workers or freelancers (such as developers)

      • Click the contributor’s name

      • On the next screen click the three dots to the right of their name

      • Click REMOVE PERMISSIONS

    • Review the permissions give to other contributors and ensure that they only have the permissions necessary to perform their role

      • Click the contributor’s name

      • Review permissions and enable / disable any that are no longer needed

      • Click SAVE at top right of screen

Squarespace's Commitment to Security

Squarespace's dedication to security encompasses several key measures:

• Global Privacy Laws Compliance: Squarespace ensures that its practices align with international data protection regulations, such as GDPR, to safeguard user information effectively.

• Security Documentation: Comprehensive documentation outlines both the technical and organizational security measures implemented to protect user data.

• Responsible Vulnerability Disclosure: Squarespace supports a culture of security by encouraging the responsible reporting of vulnerabilities. They prioritize investigating and addressing any reported issues promptly to maintain platform integrity and user trust.

For a detailed overview of Squarespace's security commitments, you can visit their official security page.

Squarespace's Security Measures

Squarespace ensures the security of customer data through a combination of technical and organizational measures:

Technical Measures:

• SSL Certificates: Automatically enabled for all domains to secure connections.

• DoS Attack Protection: Solutions designed to mitigate Denial of Service attacks.

• TLS Encryption: Used to secure data in transit between users and domains.

• PCI-DSS Compliance: Payment processors handle sensitive card data directly.

Organizational Measures:

• Security Operations Center (SOC): Monitors for threats and vulnerabilities 24/7.

• Penetration Testing: Regular testing to identify and remedy vulnerabilities.

• Compliance: Efforts to meet global privacy laws like GDPR.

• Two-Factor Authentication (2FA): Available for all user accounts.

Squarespace has a regulatory obligation to report Cybersecurity breaches

In July 2023 the US Securities and Exchange Commission adopted final rules for public companies, including Squarespace, regarding cybersecurity incident disclosures.

Companies must now report material cybersecurity incidents promptly through Form 8-K filings.

A Form 8-K filing is a report required by the U.S. Securities and Exchange Commission (SEC). It is used by publicly traded companies to notify investors of significant events that may affect the company's financials or share price. These events can include executive leadership changes, mergers and acquisitions, financial disclosures, and, importantly, cybersecurity incidents. The purpose of this filing is to ensure that shareholders and the market are informed in a timely and transparent manner about material events that could impact the company.

"Timely" in the context of Form 8-K filings means that the company must file the report within four business days of becoming aware of a material event that needs to be reported. This prompt disclosure requirement is crucial to maintain transparency with investors and the market, ensuring that all relevant parties are informed without undue delay.

The report must include details of the incident and its impacts. If initial details are not available, companies must state this in their filing and provide an amendment with the full details within four business days of determining them.

This ensures timely and transparent communication to investors about cybersecurity risks and incidents.

Squarespace's checkout flow is intentionally locked down and cannot be customized with custom scripts or styles by site owners. This is primarily for security reasons to maintain PCI DSS compliance and protect sensitive payment data.

Key points about the Squarespace checkout and its restrictions:

1. PCI DSS Compliance: The Payment Card Industry Data Security Standard (PCI DSS) mandates strict security requirements for any webpage that processes, stores, or transmits credit card data1. Squarespace's checkout is PCI compliant, but allowing site owners to add custom code could jeopardize this compliance.

2. Preventing Breakage: The checkout is complex, adapting to product type, language, country, currency, device size, and browser capabilities1. Permitting user customization could easily break core functionality and prevent customers from making purchases.

3. No Custom Code: Site owners cannot add any JavaScript, HTML, or CSS to the checkout. This prevents potential vulnerabilities that could be introduced by custom scripting.

4. Limited Visual Customization: Only a few basic design elements like colors can be changed in the checkout. Fonts, layout, and most visual aspects cannot be modified.

5. Restricted Functionality: Many functional aspects are also locked, such as changing button text, date formats, requiring billing addresses, and more1. This maintains a consistent, secure, and compliant checkout flow.

While these restrictions can be frustrating for site owners wanting greater control and customization, they are in place to protect the security and integrity of the checkout process.

By locking down the checkout, Squarespace takes on the burden of maintaining a PCI compliant and secure environment for processing payments. However, the lack of flexibility does limit some common e-commerce customizations like adding checkboxes for agreeing to terms, linking to policies, and more. So while the security benefits are clear, the restrictions can be a downside for site owners needing greater control over the checkout experience.

How does Squarespace ensure the security of customer data?

Squarespace maintains high security standards to protect customer data through a blend of technical and organizational measures. They employ SSL certificates and Denial of Service (DoS) attack protection to safeguard online interactions. Data transmitted between user devices and Squarespace servers is encrypted using Transport Layer Security (TLS). The company also ensures PCI-DSS compliance for all payment processing. Organizational security is reinforced by continuous monitoring through their Security Operations Center and regular penetration tests to evaluate their defense mechanisms against potential vulnerabilities.

What is Clickjacking and how does Squarespace mitigate against it?

Clickjacking, also known as a "UI redress attack", is a malicious technique where an attacker tricks a user into clicking on something different from what the user perceives they are clicking on. This is done by invisibly layering the target website over a malicious site, often using iframes, so when the user clicks on a visible element they are actually clicking on the hidden page underneath.

Squarespace mitigates against clickjacking attacks in a few key ways:

1. Squarespace provides the option for customers to implement clickjack protection for their websites. Since September 2021 this protection is enabled by default 

2. Squarespace also utilizes Web Application Firewall (WAF) technology1, which can detect and block clickjacking attempts by identifying suspicious framing of web pages from different origins.

3. Squarespace's security team performs regular penetration testing on the platform and remediates identified threats, which would include testing for clickjacking vulnerabilities.

In summary, Squarespace provides the tools for users to enable strong clickjacking defenses on their websites, employs a WAF that can detect malicious framing, and proactively tests and fixes any clickjacking issues on the platform itself.

What are the payment card industry data security standards (PCI DSS) and how does Squarespace comply with them?

The Payment Card Industry Data Security Standards (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. It was launched in 2006 to manage PCI security standards and improve account security throughout the transaction process.Squarespace complies with PCI DSS in several ways to protect customer payment data:

1. All of Squarespace's built-in payment processor integrations, including Stripe, PayPal, and Square, are compliant with the applicable PCI standards.

2. Sensitive card data is never handled by Squarespace itself. It goes directly to the payment processor's servers, so Squarespace doesn't have access to this information.

3. Squarespace uses Transport Layer Security (TLS) 1.2, a security protocol required by the PCI Council for all HTTPS connections, to encrypt data in transit.

4. Squarespace maintains compliance with the Payment Card Industry Data Security Standard (PCI-DSS) and uses the most up-to-date security protocols to keep accounts secure.

5. While Squarespace is PCI compliant, it's important to note that PCI DSS is not a law but rather a standard. Companies can choose not to be compliant, but may face fines from their payment processor if there is a data breach.

So in summary, Squarespace ensures its payment processing is PCI DSS compliant by using certified payment gateways, never handling sensitive card data directly, encrypting data transmissions, and staying up-to-date with the latest PCI security protocols. This allows Squarespace customers to securely accept payments on their websites.

How often does Squarespace undergo PCI-DSS audits?

Squarespace maintains compliance with the Payment Card Industry Data Security Standard (PCI-DSS) by using the most up-to-date security protocols. However, the exact frequency of Squarespace's PCI-DSS audits is not explicitly stated.

The PCI Security Standards Council generally requires an audit every 90 days, or once per quarter. The audit frequency can also vary depending on the specific payment card company's requirements for merchants and service providers.

While Squarespace itself does not directly handle sensitive card data (it goes straight to the payment processor), Squarespace does use PCI-compliant payment processors like Stripe, PayPal, and Square. These payment processors would need to undergo regular PCI-DSS audits.

So in summary, while the exact audit schedule is not specified, it's reasonable to infer that Squarespace and its integrated payment processors are subject to PCI-DSS audits at least quarterly, in line with industry standards, to maintain their compliance status. But more specific details about Squarespace's internal audit frequency are not provided in these search results.