Glitch SSL Certificate

Some of my users are saying that my website does not have a valid web certificate (SSL/Not Secure).
How do I add a SSL Certificate to my website?

Simply redirect the user to the secure version of the site, since the redirect is not automatically provided. This can be done simply by adding this too the <head> of your website.

if (location.protocol != 'https:') {
 location.href = 'https:' + window.location.href.substring(window.location.protocol.length);

Code was taken from StackOverflow.


Glitch provides SSL for all projects out of the box. It’s possible for users to visit the http rather than https version though. As nathejd suggests, you can force it to always use https. If you’d like a server-side solution, take a look at!/force-http-or-https

It doesn’t work. Multiple people besides me gets the same error about it not being secure.
It happens when the following are used:

Please help!

You’ll want to make sure not to redirect to the www subdomain. The certificate we provide with Glitch is for any * domain, but does not include any www.* Take a look at your check.js file and remove the www on the redirect. Hope that helps!

1 Like
  1. I’m following this project structure and am indeed getting HTTP->HTTPS redirect…(!/force-http-or-https) which is great. But…
  2. a client I’m working for wants me to pass certification on this tool (“A” in “protocol support” => TLS 1.0 and 1.1 must be disabled… , Qualys,
  3. You’ll notice that the above ‘*force-http-or-https’ project, when taken to the Qualys site, scores a ‘B’ in ‘protocol support.’ And the site states that ‘it supports TLS 1.0 and 1.1’ so…

Is this the best we can do on Glitch…?

I dug around and tried nginx deployment… and subtracted support for TLS 1.0,1.1 - but I end up in a continuous bounce redirect loop and 301-error.

Should I be exploring Heroku and going into the depths of ‘certs’, ‘Cert Authorities’, ‘Cipher suites’ etc?? Is it time to cut bait on the two Glitch fish…? I don’t want to.

Hi @MaxwellHarper, welcome to the forum :slight_smile:

Glitch’s support for older ciphers means that sites still work on older Android devices and early web tablets. This is probably an intentional choice to allow widest accessibility to Glitch sites on a range of devices.

For example, my Blackberry Playbook can access only a very narrow swathe of the internet nowadays because so many sites have switched off TLS 1.0 and 1.1 :sweat: It’s sad.

Anyway, I don’t think you can individually influence this on Glitch. The infra is the infra and you have no way to disable ciphers within your project (as far as I know!!)

If this is a hard requirement it may be that you have to go to another platform – unless someone can correct me. Most likely suspects are @wh0 and @tasha

Hope it helps! :slight_smile:

unethical tip: set up cloudflare or some other reverse proxy in front of glitch and set that up to use whatever cipher suites make you look good to the client

1 Like