SSL & HTTPS
surge.sh subdomains
Every project on a surge.sh subdomain is served over HTTPS automatically, covered by Surge's certificate. There is nothing to configure.
Custom domains
Custom domains get free managed certificates. Once your domain points at Surge, provision one:
surge encrypt example.com
The certificate is issued by a trusted CA, installed across every edge node, and renewed automatically. Inspect it any time with surge certs example.com, or check it node-by-node with surge audit example.com. Details of the commands are in the CLI SSL docs.
Forcing HTTPS
Having a certificate makes your site available over HTTPS; forcing HTTPS also redirects every plain-HTTP request. Publish with the protocol on the domain:
surge ./dist https://example.com
From then on, http://example.com/… answers with a redirect to the https:// URL. This is the right setting for almost every site—browsers and search engines both favor it. The choice sticks with the project across subsequent deploys.
Bringing your own certificate
On a paid plan, you can install a certificate you already own—say a wildcard or organization-validated cert—by uploading a PEM bundle:
surge ssl example.com --pem ./bundle.pem
The bundle should contain the certificate, any intermediates, and the private key. Surge validates it before applying.