Re: Square Says ‘Secure’—Our Scans Disagree. Fello...

IT-HelpSanDiego · ‎07-05-2025

Hey everyone,

I’m a small business owner using Square Online, and I recently ran a security scan using ProjectDiscovery.io to check for potential vulnerabilities. While the tool is a fantastic free resource, it flagged some issues related to HTTP security on the initial landing pages of my site, which Square hosts (as a subdomain).

Our company also participates as a stakeholder in CISA’s Cyber Hygiene services.
CISA offers free cybersecurity services to help organizations reduce their exposure to threats by taking a proactive approach to monitoring and mitigating attack vectors.
Our CISA WAS scans on the square online subdomain also revealed this same vulnerability.

I’ve learned that while Square’s hosted checkout pages are fully PCI-compliant, the lead-up pages (where visitors first decide what to book) aren’t always forced over HTTPS or given modern security headers. That gap can expose customers to man-in-the-middle attacks long before they reach the payment form.

I’m curious to know if other small business owners using Square have encountered similar findings in their security scans or faced challenges in obtaining support to address these concerns.

I sent a message to Square support, and they did not respond in a meaningful way.

Square support has not offered a meaningful fix so far.

⚠ Self-remediation attempts haven’t worked

Several businesses (ours included) tried to harden security by placing Cloudflare or AWS CloudFront in front of their Square sites. Square’s platform doesn’t allow that: the moment DNS stops pointing straight at Square’s IPs, the domain is marked “Disconnected,” and some sites have even gone offline until DNS is reverted. In other words, small businesses can’t self-remediate—only Square can address the issue.

Why this thread?

Have you run scans (e.g., ProjectDiscovery, CISA, Qualys) and seen the same findings?
Did Square support help—or not?
What workarounds (if any) have you found?

Let’s pool our experiences and push for Square to give all merchants—not just enterprise accounts— the tools needed to secure every page, end-to-end.

Looking forward to your input!
“Good is the enemy of BEST practices.”

MayaP · ‎07-07-2025

Hey @IT-HelpSanDiego, I appreciate you for flagging this and raising such an important topic. I can understand how concerning these findings must be—especially when they involve customer trust and overall site security.

I don’t have an update to share at this time, but I’ve passed your detailed feedback along to the appropriate teams.

I’ll also tag some Super Sellers here who may be able to share their experiences or insights. @TOTSC @indianathomas @jjsmeatshak1 @kinoscoffee.

Thanks again for bringing this to the community and continuing to advocate for stronger security tools for small businesses. If there's anything else I can help with, just let me know.

MayaP
Square Community Moderator
Sign in and click Mark as Best Answer if my reply answers your question ✨

IT-HelpSanDiego · ‎07-08-2025

Thank you @MayaP I do hope the issue gets attention.

IT-HelpSanDiego · ‎07-18-2025

Any word from square @MayaP ? I have this week’s WAS scan and would like to submit it to the Square security team for review. There does not seem to be a publicly published way to do so.

IT-HelpSanDiego · ‎07-18-2025

Disappointed that the only reply is from a MOD, it just goes to show that our countries’ priorities are still not set on strong, secure, AND creative code.
When are the devs gonna stop with the "just turn off all the security, then it will work" attitude?
No wonder we are so viciously hacked as a nation. We are asking for it.

Square Says ‘Secure’—Our Scans Disagree. Fellow SMBs, Sound Off Here!

⚠ Self-remediation attempts haven’t worked

Why this thread?