P2Issue #29
Missing HSTS Header
β What does it mean?
β What does it mean?
HSTS (HTTP Strict Transport Security) is a security header that forces browsers to connect to your site only via HTTPS, even if the user types http:// or clicks on an insecure link.
If the HSTS header is missing, browsers may still attempt to connect over http://, making the site vulnerable to:
Downgrade attacks
Man-in-the-middle (MITM) attacks
Mixed-content warnings
π¨ Why is it important for SEO?
π¨ Why is it bad for SEO & Performance?
Security Weakness
Without HSTS, attackers can intercept requests and strip HTTPS (SSL stripping attack).
Duplicate Content Issues
Search engines might index both http:// and https:// versions, creating duplicate pages.
Crawl Budget Wastage
Googlebot might crawl insecure (http://) versions, wasting crawl budget.
Trust & Rankings
Google uses HTTPS as a ranking signal. Missing HSTS reduces overall security trust signals.
User Experience
Users may see browser warnings like βNot Secureβ if they land on HTTP versions.
β How to Fix It
β
How to Fix It
Add the HSTS header at the server level (Apache, Nginx, Cloudflare, etc.).
Recommended configuration:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
max-age=31536000 β Enforce HTTPS for 1 year.
includeSubDomains β Apply rule to all subdomains.
preload β Allow domain submission to HSTS Preload List, making all browsers default to HTTPS.
β Bad Example
π Example
β Bad (HSTS missing):
HTTP/1.1 200 OK
Content-Type: text/html
β Good Example
β
Good (HSTS enabled):
HTTP/1.1 200 OK
Content-Type: text/html
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
β‘ Result
β‘ Result of Fixing
Ensures all traffic is HTTPS
Prevents duplicate content between HTTP/HTTPS
Protects users from MITM attacks
Improves Google SEO trust signals
Helps qualify for HSTS Preload List β ultimate security