How HSTS can reduce load speed by avoiding http to https redirection, instead, accessing the site directly from https? This blog explains it and the SEO advantages with Google.
If you are serious about your site SEO or working as an SEO for your client’s website, this article has something for a serious consideration. You know the site security is something Google taking as a serious thing, which has become indirect, if not direct SEO consideration that every SEO professionals should consider. If you like to know how HSTS (will be explained shortly) can help your website SEO, this blog is for you.
Today, webmasters are facing a deluge of attacks from all fronts – unauthorized hacks, credit card info theft, and continued attempts to break into its security barriers. It is no wonder that they are looking for measures that counter these threats effectively. HTTPS implementation is one such measure that seeks to protect the website owners from unwarranted attacks.
The problem with an unprotected layer of security
In the traditional setup, HTTP uses third-party servers or routers to relay the requests between the source and the destination networks. This means that these in-the-middle servers have complete access from both ends. So if John wants to log on to HDFC Bank, John’s PC and HDFC Bank servers do not communicate directly; instead, they communicate via the in-between servers.
Now the data being transmitted via the HTTP protocol is unencrypted plain text, hence these in-between servers can be prone to hacks to divert the transmission illegally. The outcome? The end user, John, may be redirected to a phishing site where he will enter the login details and this will be captured by the hackers to gain unauthorized entry or siphon off money.
How does HSTS come into the picture?
The HTTP Strict Transport Security (HSTS) policy makes sure that all responses have to compulsorily be transmitted through HTTPS connections instead of the regular unencrypted HTTP. This way, the complete channel is encrypted prior to any data being sent. As a result, hackers find it impossible to read or update the data in transit.
It is important to note that simply updating the SSL certifications to HTTPS won’t close all the vulnerabilities. You still need to take steps to ensure that only secure connections are made online with/by the site. This is where HSTS comes into the picture. By using this header, the site authorizes the browser to make only secure connections.
How does it work?
The first step is to add an HSTS response header in an HTTPS reply
Strict-Transport-Security: max-age=expireTime [; includeSubdomains]
The ‘expireTime’ (in seconds) is the amount of time the connection needs to remain open using the HTTPS connection. So once the request is sent, the browser will remember the secure connection for the number of seconds mentioned in ‘expireTime’
Now when the browser connects with the website server it sends out the HSTS header; After it receives the HSTS header and deems the connection to be secure, the browsers send a HTTPS request.
It is important to note that if your browser sees the HSTS header for the first time, it will first see the HSTS header and then do the redirect from HTTP to HTTPS. To overcome the potential delay because of this first-time mandatory redirection, popular browsers like Mozilla and Chrome have created a list of HSTS preloaded sites. This list will inform the browser that ‘yes, the site has HSTS header enabled, so go straight to the next step of HTTPS connection.
How does HSTS improve security?
As mentioned before, just HTTPS implementation will not make the site 100% hack-proof. So if the server initially calls the HTTP version, the hackers can divert the unencrypted request and prevent access to the HTTPS protocol.
With HSTS, the site is forced to load just the HTTPS version and not the HTTP version. As a result, the browser will load the secure version of the site on priority and thus leave no room at all for hackers to intercept the transmission in between.
How does HSTS improve SEO?
Google has placed a lot of emphasis on page load speed. With a massive proliferation of mobile, Google too has updated its algorithm to say the ‘mobile-first’ philosophy. It is clear that a lot of purchases and decision making is happening via mobile web, but sites that take more than 3 seconds to load aren’t a part of this proposition. Hence HSTS becomes vital. With this policy, the browser will straight away request for an HTTPS site and not first requesting an HTTP site and then for an HTTPS site. The difference between the two set of actions is just milliseconds, but frankly, that’s all it takes to elevate user experience online and generate business.
Now, I trust, your mind can connect the dots!
To sign off
It is proven that HSTS provides a better shield for data transmission over an SSL certification encryption. Get total protection from the Man in the Middle (MITM) attacks by securing your site with the HSTS policy.
Do you require help in implementing HSTS on your website? Or a FREE SEO Audit?
We at Macronimous can help you with our expert SEO team support.
Feel free to inquire us today for a no-obligation SEO Consulting.