In a hangout, one SEO professional asked John Mueller about HSTS and whether or not this is something that is important to SEO.
Their question was:
My question is about pre-loading SSL via HSTS. They are running into an issue where they are implementing HSTS into the Google Chrome preload list.
John added that the question goes on with a lot of details. But their main query is essentially: what should they do for search regarding HSTS?
John said, taking a step back, when you have HTTPS pages, and you have an HTTP version, usually you would redirect from the HTTP version to HTTPS.
And the HTTPS version would then be the secure version, because that has all the properties of the secure URLs.
The HTTP version, of course, would be the one that is open and still a bit vulnerable. If you have this redirect, then an attacker could take this into consideration and mess with that redirect.
With HSTS, you’re telling the browser that, once they have seen this redirect, it should always expect that redirect, and it shouldn’t even try the HTTP version of that URL.
For users, this has the advantage that nobody goes to the HTTP version of the page anymore, which makes it more secure.
The preload list for Google Chrome is a kind of static list that may be included in Chrome. But, John is not 100 percent sure whether it’s included in all the updates or downloaded separately.
Regardless, this preload list is a list of all the sites where Google has confirmed that HSTS is set up properly.
And that redirect to the secure page exists there. So that no user ever needs to go to the HTTP version of the page, which makes it a bit more secure.
From a practical point of view, this difference is very minimal. And John would expect that most sites on the internet just use HTTPS without worrying about the preload list.
John emphasized that HSTS is always a good practice. But, it’s something that you can do on your server.
And as soon as the user has seen that, then their Chrome version will keep this in mind automatically anyway.
From a general point of view, John thinks using the preload list is definitely a good idea if you can do that. But, if there are practical reasons why this isn’t feasible or not possible, then from his point of view, at least, such as only examining the SEO side of things, John would not worry about it all that much.
Additionally, when it comes to SEO, John says that what really matters to Google is that the URL is picked as the canonical. For that, it doesn’t need HSTS. It doesn’t need the preload list since that has no effect at all on how Google picks the canonical.
But rather, for the canonical, the part that’s important is that Google does see the redirect from HTTP to HTTPS.
And Google can get confirmation of that within your site via the sitemap file, the internal linking, in terms of the fact that the HTTPS version is really the one that should be used in search.
He also explained that if Google does use the HTTPS version, then Google search will inherit all of these subtle ranking bonuses from search, and the preload list and HSTS is not really needed here.
This happens at approximately the 21:15 mark in the video.
John Mueller Hangout Transcript
John (Question)
Let’s see, another question about HTTPS maybe. I have a question around pre loading SSL via HSTS. We’re running into an issue where implementing HSTS into the Google Chrome preload list. And the question kind of goes on with a lot of details. But what should we do for search?
John (Answer)
So maybe just taking a step back, when you have HTTPS pages, and you have an HTTP version, usually, you would redirect from the HTTP version to HTTPS. And the HTTPS version would then be the secure version, because that has all of the properties of the secure URLs. And the HTTP version, of course, would be the one that is kind of open or a little bit vulnerable. And if you have this redirect, then theoretically, an attacker could take that into account and kind of mess with that redirect. And with HSTS, basically, you’re telling the browser that, once they’ve seen this redirect, it should always expect that redirect, and it shouldn’t even try the HTTP version of that URL.
And for users that has the advantage that nobody even goes to the HTTP version of that page anymore, which makes it a little bit more secure. And the preload list for Google Chrome is basically a kind of a static list that is included, I believe in Chrome, probably in all of the updates, or I don’t know if it’s downloaded separately, not not completely sure. But essentially, this is a list of all of the sites where we have confirmed that HSTS is set up properly. And that redirect to the secure page exists there. So that no user ever needs to go to the HTTP version of the page, which makes it a little bit more secure. From a practical point of view, this difference is very minimal. And I would expect that most sites on the internet just use HTTPS without kind of worrying about the preload list.
Setting up HSTS is always a good practice. But it’s something that you can do on your server. And as soon as the user has seen that, then their Chrome version keeps that in mind automatically anyway. So from kind of a general point of view, I think, using the preload list is definitely a good idea if you can do that. But if there are practical reasons why that isn’t feasible or not possible, then from my point of view, at least, like only looking at the SEO side of things, I would not worry about that.
When it comes to SEO, for Google, what really matters is essentially the URL that is picked as the canonical. And for that, it doesn’t need HSTS. It doesn’t need the preload list, that has no effect at all on how we pick the canonical. But rather, for the canonical, the part that is important is we see that redirect from HTTP to HTTPS. And we can kind of get a confirmation within your website through the sitemap file, the internal linking, all of that, that the HTTPS version is really the one that should be used in search.
And if we use the HTTPS version in search, then that automatically gets all of those kinds of subtle ranking bonuses from search, and the preload list and HSTS is not really necessary there. So that’s kind of the part that I would focus on there. Let’s see maybe one one more question here. I don’t really have a great answer. But I think it’s important to at least mention as well.