Google’s John Mueller answered a question about security headers in the context of client technical SEO audits. Although he singled out one of headers as having an SEO effect, many of the other security headers, if not used, can result in a negative SEO effect.
What Are Security Headers?
Security headers are instructions sent from web servers to browsers (HTTP directives). They tell browsers how to handle content securely and help protect against common web-based attacks like cross-site scripting, clickjacking, and malicious script injection.
Some examples of what security headers protect against:
- Data theft:
Stealing sensitive user information - Session hijacking:
Stealing login sessions - Man-in-the-middle attacks:
Intercepting browser-server traffic
Which Security Headers Belong In An SEO Audit?
The person on Reddit asking the question wanted to know which security headers they should add in a technical SEO audit.
They asked:
“I wanted to conduct a full security header review audit for my website and some clients and i see csp, x frame, x content and permissions policy as important ones but are there any others that i should be potentially looking at?”
Google’s John Mueller responded that the X-Frame-Options security header was the one that might be useful in a technical SEO audit and gave a brief explanation why. His answer is actually a fairly common response but there is more to security headers and SEO than Mueller explained.
His response:
“The only security headers that I could imagine has an effect on SEO is blocking iframing by other sites, either with the old x-frame-options header, or the CSP frame-ancestors. Otherwise, from my understanding, the security headers are more about, well, security”
John Mueller is correct that the X-Frame-Options security header is the one that’s most directly relevant to SEO. But he leaves out the security headers that are indirectly related to SEO.
Why X-Frame-Options Security Header Is Relevant For SEO
The X-Frame-Options header has been around for almost twenty years but it’s still relevant today because it blocks other sites from using an iframe to display to display your site’s content. That’s why it’s useful to use this security header, it prevents other sites from ranking in Google with your content.
What’s The Deal With Security Headers?
There are six core security headers plus five more that are for specific use cases. Are they useful for SEO? In my opinion, yes they are useful for SEO because getting hacked will cause a site to no longer rank for their keywords. So yes, some of the security headers should be a part of an SEO audit, just as a review of WordPress plugins used should be a part of it.
Non-Optional Security Headers
Strict-Transport-Security (HSTS)
This forces browsers to connect to the website with secure HTTPS connections.
X-Content-Type-Options
The nosniff Directive setting in this security header helps prevent cross-site scripting (XSS). It’s not a total solution, but it’s helpful.
X-Frame-Options
As already discussed, this prevents other sites from embedding your content in iframes and ranking with it.
Highly Recommended
Content-Security-Policy (CSP):
This restricts which content sources a browser can load in order to prevent cross-site scripting (XSS) and data injection attacks.
Optional Security Headers
Referrer-Policy
This controls how much referrer data is shared with other websites when a user clicks an outbound link. This can also be set with HTML. For example, it can be set with the meta tag: <meta name=”referrer” content=”origin” /> and it can be used on a link: <a href=”https://example.com” referrerpolicy=”origin”>
Permissions-Policy
This restricts which browser features and hardware APIs can be used on a website. This security header doesn’t work in many popular browsers. More information is available on the Mozilla Developer Network.https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Permissions_Policy
Security Headers For SEO?
Anything that can be done to keep a website from losing its rankings is an SEO imperative. Although John Mueller limited his recommendation of security headers to add to an SEO audit to the X-Frame-Options header, many of the other core security headers are also important to use.
While most security headers do not directly impact SEO in any way, they do offer protection that can help maintain search visibility. Security headers can also help maintain user trust and the user experience by preventing exposure to malicious scripts, protecting sensitive data, and enforcing privacy.
Private content management systems like Wix set the security headers themselves. Sites that use WordPress can set these headers with plugins.
For example, the following WordPress plugins all have the functionality to add security headers:
- All in One SEO (AIOSEO)
- W3 Total Cache (W3TC)
- Really Simple Security,
- and the popular Redirection plugin
Surprisingly, neither Sucuri Security or Wordfence offer security header functionality. AIOSEO apparently recognizes the value of security headers so it’s curious that popular SEO plugins like Yoast SEO and Rank Math do not.
Circling back to SEO site audits, in my opinion it’s logical that security headers belong in an SEO audit, as does a light security review of a website in general. Checking security headers is easy, I like SecurityHeaders.com but there are many other sites that offer free security header checkers.
Featured Image by Shutterstock/Titima Ongkantong
