Definition
HSTS is a security mechanism that tells browsers to always use HTTPS to access a site, even if the user types HTTP. The Strict-Transport-Security header is sent by the server and the browser respects it for the specified duration (max-age). For SEO, HSTS offers two advantages: enhanced security (elimination of man-in-the-middle attacks and insecure redirects) and performance (browsers connect directly via HTTPS without going through the HTTP->HTTPS 301 redirect, saving a network round trip). HSTS Preloading goes further by including the domain in a list hardcoded into browsers, ensuring HTTPS from the very first visit. Google favors sites with HSTS as it guarantees a permanent secure connection.
Key Points
- Eliminates HTTP->HTTPS redirects for returning visitors
- HSTS Preloading forces HTTPS from the very first visit
- Protects against man-in-the-middle attacks
Practical Examples
Standard HSTS implementation
A site adds the header Strict-Transport-Security: max-age=31536000; includeSubDomains. Returning visitors connect directly via HTTPS, saving 100-200ms per visit.
HSTS Preloading
After verifying the entire site works on HTTPS, a webmaster submits their domain to the HSTS Preload list (hstspreload.org). Now even the first visit is HTTPS, without any redirect.
Frequently Asked Questions
Yes, if your site has HTTPS issues (mixed content, expired certificate). HSTS forces HTTPS and users won't be able to bypass certificate errors. Start with a short max-age (300 seconds), test, then gradually increase to 1 year (31536000).
Technically yes, but the removal process takes several months as it depends on browser updates. Only submit your domain for preloading if you are certain to maintain HTTPS indefinitely.
Go Further with LemmiLink
Discover how LemmiLink can help you put these SEO concepts into practice.
Last updated: 2026-02-07