In a hangout, one SEO professional asked John Mueller about HSTS and whether or not this is something that is important to SEO.
Their question was:
My question is about pre-loading SSL via HSTS. They are running into an issue where they are implementing HSTS into the Google Chrome preload list.
John added that the question goes on with a lot of details. But their main query is essentially: what should they do for search regarding HSTS?
John said, taking a step back, when you have HTTPS pages, and you have an HTTP version, usually you would redirect from the HTTP version to HTTPS.
And the HTTPS version would then be the secure version, because that has all the properties of the secure URLs.
The HTTP version, of course, would be the one that is open and still a bit vulnerable. If you have this redirect, then an attacker could take this into consideration and mess with that redirect.
With HSTS, you’re telling the browser that, once they have seen this redirect, it should always expect that redirect, and it shouldn’t even try the HTTP version of that URL.
For users, this has the advantage that nobody goes to the HTTP version of the page anymore, which makes it more secure.
The preload list for Google Chrome is a kind of static list that may be included in Chrome. But, John is not 100 percent sure whether it’s included in all the updates or downloaded separately.
Regardless, this preload list is a list of all the sites where Google has confirmed that HSTS is set up properly.
And that redirect to the secure page exists there. So that no user ever needs to go to the HTTP version of the page, which makes it a bit more secure.
From a practical point of view, this difference is very minimal. And John would expect that most sites on the internet just use HTTPS without worrying about the preload list.
John emphasized that HSTS is always a good practice. But, it’s something that you can do on your server.
And as soon as the user has seen that, then their Chrome version will keep this in mind automatically anyway.
From a general point of view, John thinks using the preload list is definitely a good idea if you can do that. But, if there are practical reasons why this isn’t feasible or not possible, then from his point of view, at least, such as only examining the SEO side of things, John would not worry about it all that much.
Additionally, when it comes to SEO, John says that what really matters to Google is that the URL is picked as the canonical. For that, it doesn’t need HSTS. It doesn’t need the preload list since that has no effect at all on how Google picks the canonical.
But rather, for the canonical, the part that’s important is that Google does see the redirect from HTTP to HTTPS.
And Google can get confirmation of that within your site via the sitemap file, the internal linking, in terms of the fact that the HTTPS version is really the one that should be used in search.
He also explained that if Google does use the HTTPS version, then Google search will inherit all of these subtle ranking bonuses from search, and the preload list and HSTS is not really needed here.
This happens at approximately the 21:15 mark in the video.