If you want greater security, faster loading times, and stronger SEO for your site, here's why. what and how you should use HSTS for better user experience and ranking.
Site users and search engines don't take website security lightly, which is probably why you've probably heard of additional security measures like HTTPS.
But a lesser-known security layer called HTTP Strict Transport Security (HSTS) is also available and can help protect your site and its search engine optimization (SEO) as well. Let's see what HSTS is and how it works.
HSTS
HSTS is a response header that informs the browser that it can only connect to certain websites using HTTPS. HSTS increases the speed and security of HTTPS websites. To fully understand what HSTS does, you need a little working knowledge of HTTPS.
HTTPS (Hypertext Transfer Protocol Secure) is a secure version of HTTP. When a user connects to a site using HTTPS, the website then encrypts the session with a Secure Sockets Layer (SSL) certificate. In simple terms, it adds an extra layer of security to the site session and protects against hackers who may try to steal information from web users.
As you can imagine, this is especially useful for e-commerce, banking, or other transaction sites like Paypal, which require users to enter sensitive information.
Whether sites use HTTPS is clearly visible to users. Those that are secure will have a green security symbol in the URL.
On the other hand, those sites that still rely only on HTTP will be labeled as “Not Secure” in the Uniform Resource Locator (URL) box.
HTTPS has been a confirmed Google ranking factor since 2014, and while it won't immediately shoot your site to the top of the search engine results pages (SERP), it will give you an extra boost and signal an extra layer of reliability for website visitors. I like to think that having HTTPS gives a web page a boost and will generally move the HTTPS page up the SERPs.
While HTTPS is a big improvement over its predecessor, it is not entirely without its flaws and that is where HSTS comes in.
How HSTS increases site security
One of the flaws associated with HTTPS is that it is not completely intrusion-proof. Leave your site open for SSL extraction. This occurs when a hacker changes the connection from an encrypted connection to an older version.
This often happens with 301 redirects, if a website relies on 301 redirects to move from HTTP to HTTPS. The 301 redirect usually happens like this:
- Someone types com in their browser.
- Because examplesite.com uses a 301 redirect, the browser initially attempts to load http://examplesite.com. This happens because the browser cannot know in advance that a specific site is using HTTPS.
- Once it encounters the redirect and is told otherwise, the browser is given the go-ahead to load https://examplesite.com.
While this doesn't seem like a big deal, it's those few milliseconds between that you really need to worry about because you leave the site vulnerable to hackers trying to take down your SSL certificate.
When the server initially calls the HTTP version, hackers can slip in and intercept the request over the insecure HTTP, which will prevent the site from using HTTPS. It stands to reason that as more sites switch to HTTPS, more hackers are educating themselves on how to crack the updated security codes.
There is a solution for this, make your site even more secure by applying HSTS.
HSTS forces a site to load over HTTPS, ignoring calls to try an HTTP connection first, as in the case of 301 redirects. This essentially bypasses the initial HTTP loading by forcing the browser to remember that this site does It supports HTTPS. This way, the browser will load the secure version immediately and eliminate the opportunity for hackers to hijack the connection.
How HSTS Helps Page Load Speed and SEO
In addition to adding an extra layer of security to your site, Using HSTS can also give you an SEO boost since using HSTS makes your web pages load even faster.
We know that loading time is a big issue when it comes to search rankings and user experience. Since mobile device usage is only increasing and Google's mobile initiative is in full swing, Page loading speed is more important than ever.
Early last year, Google published a study with the following conclusions:
The average time it takes to fully load the average mobile landing page is 15.3 seconds:
However, research also indicates that 53 percent of people will abandon a mobile page if it takes more than three seconds to load.
Clearly, web users aren't exactly forgiving when it comes to loading times.
And for e-commerce sites that seem to have more incentive to apply HSTS, the news is even worse. Consider this Google shopping statistic:
“30% of all online purchases are made on a mobile device”
Mobile sites lag behind desktop sites in key engagement metrics such as average time on site, pages per visit, and bounce rate. Many purchases are happening online, but the lagging sites are not the ones making the sales.
Page loading speed directly affects metrics, such as average time spent on site, pages per visit, and bounce rate. If you see low engagement metrics, you are likely seeing low sales.
Those engagement metrics are also key factors in your overall SEO. Web pages with a strong engagement signal quality and a good user experience for Google can result in higher rankings. Since page loading speed is so important, it makes sense that companies do everything they can to ensure their sites load like lightning. One of the things they can do is enable HSTS.
Remember, if you try to load a site using only HTTPS, it will first try to call the HTTP version before realizing that a page supports HTTPS. That initial HTTP attempt will cause a small delay in your site's loading time. While it may only be milliseconds when it comes to page loading speed, every millisecond counts. With HSTS enabled, the browser knows to only use HTTPS, making the redirect instant and eliminating any delays.
How to apply HSTS?
Before you can enable HSTS, you must have a valid SSL certificate installed. A user's browser will have to see the HSTS header at least once before it knows to instantly redirect to a given page. That means that a user's first visit to a certain domain would still have to go through the HTTP to HTTPS process.
To eliminate this as much as possible, Chrome created HSTS preload list. This is a list of domains that will automatically enable HSTS, so that users can automatically connect using HSTS.
Chrome allows anyone to submit their domain to the HSTS list as long as they meet the following requirements:
HTTPS must be enabled on the root domain and all subdomains, especially on www.subdomain, if a DNS record exists. This includes any subdomains in use on intranets only. The HSTS policy includes all subdomains, with a maximum-age length, and a “preload” flag to indicate that the domain owner consents to preloading.
As of now, Firefox, Safari, Opera, and Edge also use Chrome's preload list, so the option is available for domains in most major browsers.
To enable HSTS on your site, you will need to add the HSTS enabled header. You can do this through your hosting site or activate it yourself.
Conclusion
Should you use HSTS? I think you should unless you're a content publisher and having trouble switching to HTTPS. It's difficult to serve ads on an HTTPS site, which is why many publishers have had problems switching to HTTPS. They will probably also find it difficult to serve ads using HSTS.
Every website can benefit from an extra layer of security, not only from an SEO point of view, but also from a customer point of view. If you run an eCommerce or transactional site, HSTS is quickly becoming a necessity.
Think of it this way: better security and faster loading times equal better SEO and, ultimately, a better user experience.