Complete Guide to Domain Security and Content Security Policy (CSP) in HubSpot

Securing your website is not just about installing an SSL certificate — it’s about building multiple layers of protection that work together. From HTTPS and TLS to modern HTTP security headers like Content Security Policy (CSP), every setting contributes to protecting your visitors, your data, and your brand’s credibility. In this article, we’ll break down what each HubSpot domain security setting does, why it’s important, and how to configure them properly — even if you’re not a security expert.

SSL Certificates: Foundation of a Secure Connection

When you connect a domain to HubSpot, the platform automatically provisions a standard SAN SSL certificate through Google Trust Services. This ensures that your site loads securely over HTTPS — encrypting data between the visitor’s browser and your server.

Key points:

• SSL provisioning is automatic and free.
• Certificates are renewed 30 days before expiration.
• To connect your domain, you must have a CNAME record (or A records for root domains) pointing to HubSpot’s secure servers.

If you prefer to use a custom certificate, you can purchase the Custom SSL Add-on, which allows you to upload your own certificates directly in HubSpot.

Tip: If your domain uses a Certification Authority Authorization (CAA) record, make sure it includes pki.goog. Otherwise, HubSpot won’t be able to provision or renew your SSL certificate.

Pre-Provisioning and DCV Records

If you’re migrating your site to HubSpot, you can pre-provision your SSL certificate to avoid downtime. During the domain connection process, HubSpot provides DNS records you can add to your registrar before completing the setup.

DCV (Domain Control Validation)

Sometimes HubSpot may ask you to add a DCV record. This ensures ongoing SSL validation, especially for reverse proxy domains.

Steps:

1. Go to Settings → Content → Domains & URLs.
2. Find the domain marked “Action required.”
3. Copy and add the DCV record from HubSpot to your DNS provider.
4. Wait up to 24 hours for the changes to take effect.

Domain Security Settings in HubSpot

Once your domain is connected and secured with SSL, HubSpot allows you to customize additional domain-level security settings.

1. HTTPS Enforcement

Turning on “Require HTTPS” ensures all pages and assets load securely. Any mixed content (HTTP resources on HTTPS pages) will be blocked.

Example: If an image is loaded from http://example.com/image.jpg, it won’t display on a secure page. Always use https:// links.

2. TLS Version

HubSpot servers support TLS 1.0 and above by default. You can restrict connections to TLS 1.2+ for stronger encryption and modern browser compatibility.

Security Headers: The Second Line of Defense

Security headers tell browsers how to handle content and connections on your website. They prevent attacks such as cross-site scripting (XSS), clickjacking, and data injection. HubSpot allows you to enable these headers for each connected domain.

HTTP Strict Transport Security (HSTS)

HSTS enforces HTTPS by telling browsers to automatically convert all HTTP requests into HTTPS.

Recommended settings:

• Duration (max-age): 31536000 (1 year)
• Enable preload
• Include subdomains

Example Header:

X-Frame-Options

Protects your website from clickjacking attacks by controlling whether your pages can be loaded in <iframe> elements.

Options:

• deny — disallow embedding entirely.
• sameorigin — only allow iframes from your own domain.

Example:

X-XSS-Protection

Adds a basic layer of protection for older browsers by blocking pages when cross-site scripting is detected.

Recommended setting:

X-Content-Type-Options

Prevents MIME type sniffing, which can lead to code execution vulnerabilities.

Recommended setting:

Referrer-Policy

Controls how much referral data is sent when users navigate away from your site.

Example:

• strict-origin-when-cross-origin — recommended for most websites.
• no-referrer — for maximum privacy.

Example Header:

Permissions-Policy

Controls access to browser features such as camera, microphone, or geolocation.

Example:

This tells the browser that only your site can request location data, and microphone access is disabled.

Content Security Policy (CSP): The Core of Modern Web Security

A Content Security Policy is a powerful browser mechanism that helps prevent malicious code from executing on your site — even if an attacker injects it.

CSP defines which content sources are trusted for loading scripts, styles, images, frames, and other resources.

Why CSP Matters

• Prevents Cross-Site Scripting (XSS) attacks.
• Blocks unauthorized scripts or iframes.
• Helps control integrations and third-party content.
• Significantly improves overall site security.

Common CSP Directives and Meanings

Content-Security-Policy-Report-Only

If you’re testing your CSP configuration, enable CSP Report-Only mode first. This allows browsers to report policy violations without blocking content — a safe way to fine-tune your directives.

Example:

HubSpot Plan Restrictions

Not all domain security settings in HubSpot are available to every account.
If you have a Content Hub Starter, Professional, or Enterprise plan, you can enable a broader range of security headers to improve protection and compliance across your hosted content.

X-Frame-Options

This header controls whether your pages can be embedded in <iframe>, <frame>, <embed>, or <object> elements. It helps prevent clickjacking attacks by restricting where your content can be displayed.

Options:

• deny — blocks your pages from being embedded anywhere.
• sameorigin — allows embedding only within your own domain.

Setup: Navigate to Settings → Content → Domains & URLs → Actions → Update domain security settings → Security headers tab, then select X-Frame-Options and choose the directive that best fits your needs.

X-XSS-Protection

This header adds an extra layer of protection for users on older browsers by blocking or sanitizing pages that trigger cross-site scripting (XSS) detection.

Options:

• 0 — disables XSS filtering.
• 1 — sanitizes unsafe code if an attack is detected.
• 1; mode=block — prevents the page from loading when an XSS attack is detected.

Setup: Under Security headers, select X-XSS-Protection, choose a setting from the dropdown, and click Save.

X-Content-Type-Options

Prevents browsers from MIME type sniffing, which can lead to executing unexpected or unsafe content types. Setting this header to nosniff ensures browsers only process files according to their declared MIME type.

Setup: In Security headers, select X-Content-Type-Options and click Save.

Content-Security-Policy (CSP)

The Content-Security-Policy header defines which resources (scripts, styles, images, iframes, etc.) are allowed to load on your website. This is one of the most powerful defenses against cross-site scripting (XSS), data injection, and content hijacking.

Setup:

1. In HubSpot, go to Settings → Content → Domains & URLs → Actions → Update domain security settings → Security headers tab.
2. Enable Content-Security-Policy.
3. Add your policy directives (e.g., default-src 'self'; script-src 'self' https://*.hubspot.com).
4. Optionally, enable the nonce option to allow scripts with a matching nonce value to execute safely.

Important: HubSpot automatically generates unique nonces for all HubSpot-hosted scripts.
To maintain full platform functionality, include the required domains and directives in your policy.

Here’s a condensed version of the most essential domains to include:

(For the full list, refer to HubSpot’s documentation.)

Content-Security-Policy-Report-Only

Use this mode to test your CSP rules without enforcing them.
Violations will be logged instead of blocked — ideal when experimenting with new directives.

Setup: Enable Content-Security-Policy-Report-Only, define your policy directives, and toggle the nonce option if needed.

Referrer-Policy

Controls how much referrer information (the URL of the previous page) is shared with external sites. This is useful for privacy protection and analytics accuracy.

Example directives:

• no-referrer — sends no referrer data at all.
• same-origin — sends referrer only for same-domain requests.
• strict-origin-when-cross-origin — modern balanced option used by default in most browsers.

Permissions-Policy

Defines which browser features and APIs can be used on your pages or embedded content — for example, access to camera, geolocation, or fullscreen mode.

Example directive: Select Permissions-Policy in your security settings and add directives according to your needs.Refer to Mozilla’s documentation for the full directive list.

HubSpot Plan Restrictions Summary

These advanced security headers are available only for Content Hub Starter, Professional, and Enterprise accounts. When configured properly, they significantly reduce your exposure to attacks, ensure compliance with security standards, and give you fine-grained control over how browsers handle your content.

Note: Basic accounts do not include advanced security header configuration.
All plans, however, benefit from HubSpot’s automatic SSL provisioning and built-in security infrastructure.

Best Practices for Secure HubSpot Hosting

1. Always enforce HTTPS and use TLS 1.2+.
2. Enable HSTS with preload and subdomains.
3. Use strict CSP directives and test them in Report-Only mode first.
4. Avoid unsafe-inline and unsafe-eval unless absolutely necessary.
5. Review security headers regularly after adding new integrations.
6. Keep DNS and CAA records up to date for SSL renewals.

Final Thoughts

Security is not a one-time setup — it’s an ongoing process. HubSpot gives you the tools to enforce modern web security standards without complex configuration. By properly setting SSL, enforcing HTTPS, enabling headers, and configuring a strong Content Security Policy, you can protect your visitors, data, and reputation while maintaining site performance and SEO integrity.