P2Issue #29
Missing HSTS Header
β What does it mean?
β What does it mean?
HSTS (HTTP Strict Transport Security) is a security header that forces browsers to connect to your site only via HTTPS, even if the user types http:// or clicks on an insecure link.
If the HSTS header is missing, browsers may still attempt to connect over http://, making the site vulnerable to:
Downgrade attacks
Man-in-the-middle (MITM) attacks
Mixed-content warnings
π¨ Why is it important for SEO?
π¨ Why is it bad for SEO & Performance?
Security Weakness
Without HSTS, attackers can intercept requests and strip HTTPS (SSL stripping attack).
Duplicate Content Issues
Search engines might index both http:// and https:// versions, creating duplicate pages.
Crawl Budget Wastage
Googlebot might crawl insecure (http://) versions, wasting crawl budget.
Trust & Rankings
Google uses HTTPS as a ranking signal. Missing HSTS reduces overall security trust signals.
User Experience
Users may see browser warnings like βNot Secureβ if they land on HTTP versions.
β How to Fix It
β
How to Fix It
Add the HSTS header at the server level (Apache, Nginx, Cloudflare, etc.).
Recommended configuration:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
max-age=31536000 β Enforce HTTPS for 1 year.
includeSubDomains β Apply rule to all subdomains.
preload β Allow domain submission to HSTS Preload List, making all browsers default to HTTPS.
β Bad Example
π Example
β Bad (HSTS missing):
HTTP/1.1 200 OK
Content-Type: text/html
β Good Example
β
Good (HSTS enabled):
HTTP/1.1 200 OK
Content-Type: text/html
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
β‘ Result
β‘ Result of Fixing
Ensures all traffic is HTTPS
Prevents duplicate content between HTTP/HTTPS
Protects users from MITM attacks
Improves Google SEO trust signals
Helps qualify for HSTS Preload List β ultimate security
β Frequently Asked Questions
What is the HSTS header?
HSTS (HTTP Strict Transport Security) is a security header that forces browsers to connect to your site only via HTTPS.
Why is a missing HSTS header problematic for SEO and performance?
It can lead to security weaknesses, duplicate content issues, crawl budget wastage, reduced trust and rankings, and negative user experience.
How can I fix issues caused by a missing HSTS header?
You can fix them by adding the HSTS header at the server level with recommended configurations like max-age, includeSubDomains, and preload.
What are the benefits of adding an HSTS header?
Adding it ensures all traffic is HTTPS, prevents duplicate content between HTTP/HTTPS, protects users from MITM attacks, improves Google SEO trust signals, and helps qualify for the HSTS Preload List.