Updated May 2026

HSTS: HTTP Strict Transport Security and SEO

HTTP Strict Transport Security (HSTS) is a response header that tells browsers to refuse any future connection to your domain over plain HTTP. It is one of the most important security headers a site can ship, and it has indirect but meaningful SEO benefits. It is also one of the easiest headers to misconfigure in a way that breaks your site for months. This guide covers what HSTS does, how it touches SEO, and how to deploy it without painting yourself into a corner.

Check whether your site ships HSTS, HTTPS, and other technical signals correctly.Try SitemapFixer Free

1. What Is HSTS?

HSTS, defined in RFC 6797, is a mechanism that lets a website declare to browsers: I am only ever to be accessed over HTTPS. If you ever see a plain http:// link to me, upgrade it before sending the request, and refuse to connect if my certificate fails. Once a browser receives the HSTS header, it remembers the policy for a configurable period and applies it automatically.

The benefit is that it eliminates an entire category of attacks: SSL-stripping, where an attacker sitting between the user and the server downgrades the connection to HTTP and intercepts the traffic. With HSTS active, the browser refuses to ever talk HTTP to your domain, so there is nothing to strip.

2. The Strict-Transport-Security Header

HSTS is delivered as a single response header on HTTPS responses. The canonical, preload-ready value is:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

A more conservative starting value, suitable for the first weeks after enabling, omits subdomains and preload:

Strict-Transport-Security: max-age=31536000

Browsers ignore the header on plain HTTP responses, so it must be served from your HTTPS endpoint to take effect.

3. How HSTS Improves SEO Indirectly

HSTS is not a direct ranking factor — Google does not give a bonus for the header itself. But it reinforces three signals that do influence rankings:

HTTPS reinforcement: HTTPS has been a confirmed ranking signal since 2014. HSTS guarantees no user ever ends up on an HTTP version, which means no duplicate content split across protocols and no http-to-https redirect chain in the user's path.
Trust and security signals: Chrome, Edge, and Safari surface security warnings on sites without proper HTTPS configuration. HSTS prevents those warnings, which preserves CTR from SERPs.
Crawl efficiency: Googlebot doesn't directly honor HSTS the way a browser does, but ensuring your site never serves HTTP responses removes redirect overhead and avoids wasted crawl budget on http-to-https hops.

4. Understanding the max-age Directive

The max-age directive specifies, in seconds, how long the browser should remember and enforce the HSTS policy after the last time it saw the header. Common values:

max-age=300 (5 minutes): testing only.
max-age=86400 (1 day): cautious initial rollout.
max-age=2592000 (30 days): early production.
max-age=31536000 (1 year): standard production.
max-age=63072000 (2 years): required for the HSTS preload list.

Setting max-age=0 tells the browser to forget the policy immediately — useful as an escape hatch if you need to back out, but only effective for browsers that revisit the site before their cached policy expires.

5. The includeSubDomains Directive

Adding includeSubDomains extends the HSTS policy to every subdomain of the domain that served the header. If example.com sets it, then blog.example.com, shop.example.com, and internal.dev.example.com all become HTTPS-only in the browser's view.

This is powerful and dangerous in equal measure. Before enabling it, audit every subdomain you own — including legacy marketing pages, internal tools, and forgotten staging environments — and confirm each one has a valid TLS certificate and serves over HTTPS. A single subdomain stuck on HTTP becomes unreachable for any user whose browser has cached your HSTS policy.

6. The preload Directive and the HSTS Preload List

The preload directive is a flag indicating that the site owner wants the domain added to the HSTS preload list — a hardcoded list of HTTPS-only domains shipped inside Chrome, Firefox, Safari, Edge, and Opera. Browsers consult the list before making the first connection to a domain.

The benefit: even a brand-new browser that has never visited your site will refuse to connect over HTTP. There is no first-visit window of vulnerability. The cost: removal from the preload list takes weeks to months and requires a new release cycle of every major browser.

7. How to Submit Your Site to the HSTS Preload List

Submission happens at hstspreload.org. The eligibility checklist:

Serve a valid certificate on the apex domain and all subdomains.
Redirect from HTTP to HTTPS on the apex, on the same host (no redirecting http://example.com straight to https://www.example.com).
Serve all subdomains over HTTPS, including www if it exists.
Send the HSTS header on HTTPS responses with max-age at least 31536000 seconds (1 year), includeSubDomains, and preload.

Approval typically takes a few weeks. The actual hardcoding into browsers ships in subsequent releases, so it can be 2–3 months before the preload status is fully active across the user base.

8. HSTS and Site Migrations

HSTS preload is one of the few decisions in technical SEO that is genuinely hard to undo. If you preload example.com and later need to spin up an HTTP-only test subdomain, run a third-party widget on a non-HTTPS domain, or migrate to a host that doesn't yet have your cert provisioned, every preloaded browser will refuse to connect.

Before any major migration — domain change, hosting migration, CDN swap — verify that HTTPS will be available on every host name from day one. If you're migrating to a new domain, the HSTS policy on the old domain doesn't transfer, so you will need to repeat the rollout (and any preload submission) on the new domain.

9. Common HSTS Mistakes

Enabling preload too early. Submitting before all subdomains support HTTPS is the most common reason sites end up locked out of their own properties.
Mixed content breakage. HSTS makes the browser refuse HTTP subresources outright. Any image, script, or stylesheet still loaded over HTTP will fail silently.
Certificate expiry. Once HSTS is active, an expired cert produces an unbypassable error — users can no longer click through. Treat cert renewal as a hard SLA.
Header on HTTP responses. Browsers ignore HSTS over HTTP. Make sure the header is set on the HTTPS endpoint, not just at a global proxy that strips it before it reaches TLS.
Missing the always directive in nginx. Without it, the header is only sent on 200 responses — error pages bypass HSTS.

# nginx.conf
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

10. Testing HSTS Configuration

Three quick checks to confirm the header is live:

curl -sI https://example.com | grep -i strict-transport

# Expected output:
strict-transport-security: max-age=31536000; includeSubDomains; preload

securityheaders.com: grades your overall header configuration and flags HSTS issues, including missing includeSubDomains and short max-age.
hstspreload.org: validates eligibility for the preload list and reports specific failures.
Chrome DevTools: the Security panel shows whether HSTS is active for the current site and lets you inspect the cached policy in chrome://net-internals/#hsts.

Ship secure, SEO-friendly headers

SitemapFixer audits HSTS, HTTPS, redirect chains, and the rest of your technical SEO stack.

Run a free audit