SSL & HTTPS

surge.sh subdomains

Every project on a surge.sh subdomain is served over HTTPS automatically, covered by Surge's certificate. There is nothing to configure.

Custom domains

Custom domains get free managed certificates. Once your domain points at Surge, provision one:

surge encrypt example.com

The certificate is issued by a trusted CA, installed across every edge node, and renewed automatically. Inspect it any time with surge certs example.com, or check it node-by-node with surge audit example.com. Details of the commands are in the CLI SSL docs.

Forcing HTTPS

Having a certificate makes your site available over HTTPS; forcing HTTPS also redirects every plain-HTTP request. Publish with the protocol on the domain:

surge ./dist https://example.com

From then on, http://example.com/… answers with a redirect to the https:// URL. This is the right setting for almost every site—browsers and search engines both favor it. The choice sticks with the project across subsequent deploys.

Bringing your own certificate

On a paid plan, you can install a certificate you already own—say a wildcard or organization-validated cert—by uploading a PEM bundle:

surge ssl example.com --pem ./bundle.pem

The bundle should contain the certificate, any intermediates, and the private key. Surge validates it before applying.