<\/p>\n
A recent Google SEO Office Hours included a question about whether a security header confers an influence on ranking.<\/p>\n
It’s not as far-fetched as it seems at first glance because a security header like the HSTS header plays an important role in ensuring a secure HTTPS connection, and HTTPS is a lightweight Google ranking signal.<\/p>\n
A header is a response that a server provides to a browser (or crawler).<\/p>\n
The most well-known header is the response header such as the 404 error response or the 301 response header.<\/p>\n
The purpose of an HTTP header is to provide additional metadata about the web page that a browser or crawler is requesting.<\/p>\n
Security headers are a special group of headers that apply different types of security to protect against various malicious attacks and keep the site safe for users.<\/p>\n
An HSTS security header is a response that tells the browser that the web page should only be accessed via HTTPS, never HTTP, and to request HTTPS next time.<\/p>\n
Using this header is better than just using a 301 redirect.<\/p>\n
When a browser accesses a site using HTTP and is redirected to HTTPS, the next time the browser requests a web page, it will request an HTTP page again, causing the server to do the redirect again.<\/p>\n
The important consideration is that the site that only uses a 301 redirect is still vulnerable to a man-in-the-middle attack.<\/p>\n
The HSTS header prevents this from happening by making the browser only request an HTTPS page, making the entire site more secure.<\/p>\n
Therefore, a site that uses an HSTS header is more secure with respect to HTTPS.<\/p>\n
The question asked of John Mueller:<\/strong><\/p>\n “Does the integration of security headers such as HSTS have an influence on classification?”<\/p>\n John Mueller replied:<\/strong><\/p>\n “No, the HSTS header does not affect search.<\/p>\n This header is used to tell users to go directly to the HTTPS version and is commonly used in conjunction with redirects to the HTTPS versions.<\/p>\n Google uses a process called canonicalization to choose the most appropriate version of a page to crawl and index; it is not based on headers like those used for HSTS.<\/p>\n Using these headers is of course great for users.<\/p>\n HSTS is a message to browsers, and according to John Mueller, Googlebot doesn’t rely on headers.<\/p>\n However, good security practices are something any site should practice, regardless of whether they confer ranking influence or not.<\/p>\n Chrome hosts an HSTS preload list that all browsers use to automatically use HTTPS, it’s hard-coded into the browser.<\/p>\n Instructions on how to do this can be found at HSTS preload website<\/a>.<\/p>\n Listen to the Office Hours discussion at minute 4:57:<\/strong><\/p>\nHSTS is a good security practice<\/h2>\n