In a recent Google SEO consultation, the question was asked whether a security header has an impact on the ranking.
This question isn’t as far-fetched as it first appears, since a security header like the HSTS header plays an important role in ensuring a secure HTTPS connection, and HTTPS is a lightweight Google ranking signal.
HSTS security header
A header is a response that a server provides to a browser (or a crawler).
The most well-known header is the response header like the 404 error response or the 301 response header.
The purpose of an HTTP header is to provide additional metadata about the webpage that a browser or crawler is requesting.
Security headers are a special group of headers that enforce different types of security to protect against various malicious attacks and keep website safe for users.
An HSTS security header is a response that tells the browser to only access the webpage over HTTPS and never over HTTP, and to request HTTPS next time.
Using this header is better than just using a 301 redirect.
If a browser accesses a website over HTTP and is redirected to HTTPS, the next time the browser asks for a web page, it will ask for an HTTP page again, causing the server to perform the redirect again.
The important consideration is that the site using only a 301 redirect is still vulnerable to a man-in-the-middle attack.
The HSTS header prevents this by causing the browser to only request an HTTPS page, making the entire website more secure.
Therefore, a site that uses an HSTS header is more secure with respect to HTTPS.
Does the HSTS header affect ranking?
The question to John Mueller:
“Does the integration of security headers like for HSTS have an impact on the ranking?”
John Mueller replied:
“No, the HSTS header does not affect the search.
This header is used to direct users to access the HTTPS version directly and is often used with redirects to the HTTPS versions.
Google uses a process called canonicalization to choose the most appropriate version of a page to crawl and index – it doesn’t rely on headers like those used for HSTS.
However, using these headers is obviously great for users.”
HSTS is good security practice
HSTS is a message to browsers, and according to John Mueller, Googlebot doesn’t rely on headers.
Still, good security practices should be practiced on every website, regardless of whether they have an impact on rankings or not.
Chrome hosts an HSTS preload list, which all browsers use to automatically use HTTPS. It is hard-coded in the browser.
See the HSTS Preload website for instructions.
Listen to the office hours discussion at minute 4:57:
Featured image from Shutterstock/ViDI Studio