TLS and HTTPS
A primer on TLS and HTTPS.
Transport Layer Security (TLS)—previously known as Secure Socket Layer (SSL)—is the process of securing communication over a computer network by encrypting traffic. Encrypting traffic helps prevent eavesdropping, tampering, and man-in-the-middle attacks.
HTTP is a protocol for transferring data between websites. An HTTPS transfer or API call is simply an HTTP call over a connection secured by TLS.
Not securing your website with TLS is a dangerous downgrade that can put your users and your website at risk. HTTP traffic can be read by anyone with access to network the traffic moves through. In contrast, HTTPS traffic can only be decrypted by the owner of the HTTPS certificate.
Securing your application or website with TLS is especially important for websites that collect payment information (credit card and bank information) or personal information (passwords and addresses). However, any website or application that collects user information should be secured with TLS to protect users and their data.
For more on HTTPS, read Why HTTPS Matters on the Google Developer Blog.
You enable TLS on your website by installing a small data file that authenticates your server's identity and encrypts information sent to that server. The authentication and encryption file is called an SSL certificate, which is issued by a certificate authority.
A certificate authority is a trusted entity (e.g., a company, nonprofit, or governing body) that issues SSL certificates after verifying the identities of users or servers. For example, Let's Encrypt is a free, automated, open-source certificate authority. SSL certificates from Let's Encrypt are easy to use and many hosting providers support one-click installation of Let's Encrypt certificates.
Remember to verify TLS certificates for all requests. Even communication between your own frontend and backend can be vulnerable to man-in-the-middle attacks (for example, if your own credentials are compromised).
HTTPS libraries are available for a selection of programming languages:
|Language||Built-in HTTPS library||Open-source HTTPS libraries|
|Objective-C (iOS and OS X)||URL loading system||Unirest, AFNetworking|
|Java (including Android)||HTTPURLConnection||Unirest, OkHttp|
HTTPS is required for all API calls to Square endpoints. Unencrypted HTTP API calls do not work. Make sure your website is served via HTTPS and that you're making HTTPS calls to our APIs.
The Square Payment form can be developed against on localhost, but for any other domain it will not load without HTTPS enabled.
If you cannot use HTTPS on your website but want to securely take payments, you may use the Square Checkout API. The Square Checkout API redirects your users to our secure payment form hosted on our servers, so HTTPS is not strictly required. However, downgrading to HTTP puts your users and their data at risk. We strongly recommend finding a way to secure your websites with HTTPS—even if that means changing your hosting provider. Many hosting providers support one-click installation of SSL certificates from Let's Encrypt, a free, automated, open-source certificate authority.
Many hosting providers offer one-click installation of SSL certificates from Let's Encrypt. Before manually enabling HTTPS, check to see if your hosting provider includes Let's Encrypt integration. If so, visit their documentation to set up a Let's Encrypt certification.
If your hosting provider does not offer SSL certification, you may be able to install a Let's Encrypt SSL certification manually. Visit the Let's Encrypt Getting Started page for a high-level guide on how to obtain and install an SSL certificate.
To confirm you have successfully enabled HTTPS, load your website and check that the address bar has "https://" at the beginning of your website address. Your browser might also display a closed lock icon.