A recent Google SEO Office Hours featured a question about whether a security header conferred a ranking influence.
It’s not as far out a question as it first appears because a security header like the HSTS header plays an important role in assuring a secure HTTPS connection and HTTPS is a light-weight Google ranking signal.
HSTS Security Header
A header is a response that a server provides to a browser (or a crawler).
The most well-known header is the response header like the 404 Error Response or the 301 response header.
The purpose of an HTTP header is to offer additional meta data about the webpage that a browser or crawler is requesting.
Security headers are a special group of headers that enforce different kinds of security to protect against various malicious attacks and keep the site secure for users.
An HSTS security header is a response that tells the browser that the webpage should only be accessed via HTTPS, never by HTTP, and to request HTTPS the next time.
Using this header is better than only using a 301 redirect.
When a browser accesses a site with HTTP and is redirected to HTTPS, the next time the browser asks for webpage it will again ask for an HTTP page, causing the server to do the redirect all over again.
The important consideration is that the site that only uses a 301 redirect is still vulnerable to a man-in-the-middle attack.
The HSTS header stops that from happening by causing the browser to only request an HTTPS page, which makes the entire site more secure.
So, a site that uses an HSTS header is more secure in terms of HTTPS.
Does the HSTS Header Influence Rankings?
The question asked of John Mueller:
“Does the integration of security headers such as for HSTS have a ranking influence?”
John Mueller answered:
“No, the HSTS header does not affect Search.
This header is used to tell users to access the HTTPS version directly, and is commonly used together with redirects to the HTTPS versions.
Google uses a process called canonicalization to pick the most appropriate version of a page to crawl and index—it does not rely on headers like those used for HSTS.
Using these headers is of course great for users though.”
HSTS is a Good Security Practice
HSTS is a message to browsers and, according to John Mueller, Googlebot doesn’t rely on headers.
Nevertheless, good security practices are something that ever site should practice, regardless of whether they confer a ranking influence or not.
Chrome hosts an HSTS pre-load list that all browsers use to automatically use HTTPS, it’s hard coded into the browser.
Instructions for how to do it are on the HSTS Preload website.
Listen to the Office Hours discussion at the 4:57 minute mark:
Featured image by Shutterstock/ViDI Studio