website-security-hsts

HSTS For Website Security And SEO

You probably feel like you get a “time to update” notice from you antivirus software almost every single day. Even if it’s slightly annoying when you’re trying to work on something, you realize that you always want to be current in your protection against emerging threats.

Your website security is just as important (if not even more important) as the security of your computer. If you store, process, or use visitor information on your website, those visitors want to know that you’re guarding that information just as closely as you’d guard your own.

Most people know why websites should use HTTPS, but HSTS, HTTP Strict Transport Security, is often overlooked.

What Is HSTS?

HSTS is not a replacement for HTTPS. You won’t start seeing “hsts://” in your browser window. HSTS is something called a response header than boosts and reinforces HTTPS. It’s a message that tells a browser “HTTPS ONLY!”, reinforcing things like the security and the speed of the website.

How Does HSTS Differ From HTTPS Alone?

HTTP by itself is basically obsolete. The “S” in HTTPS means secure, and people expect to be secure when they visit a website. HTTP is a plain wooden door, and HTTPS is a metal door with a padlock. It’s much harder to break in because most vulnerabilities have been addressed. Hackers can’t readily fetch whatever they’d like from an HTTPS website without putting up a huge fight. Websites that deal with sensitive personal information or allow transactions to be completed need to use HTTPS.

The only problem is that, while HTTPS is a vast improvement over HTTP, there’s no guarantee that it’s completely foolproof. Sure, HTTPS is a metal door with a padlock, but a determined hacker can come in beat the lock right off the door. An SSL stripping attack allows a very competent and capable hacker to peek in for just a second, but that second is all a skilled hacker needs. This is a common vulnerability in sites that use 301 redirects for HTTPS – the site attempts to load the less safe HTTP first, leaving that small window of vulnerability.

HSTS is the third door. This time it’s a sealed vault door. A hacker’s tools won’t do much, because this door is completely sealed. HSTS immediately says “NO!” when HTTP almost loads. It makes it a non-option and closes that small gap that hackers can take advantage of. It overrides any vulnerabilities from 301 redirects and doesn’t give anyone with malicious intentions a chance to meddle.

What Does HSTS Have To Do With SEO?

SEO is a lot more than just keywords. Google uses a lot of ranking factors to determine where a website belongs on the SEO hierarchy. Among these factors are security and load time. Both are improved by the use of HSTS.

Since HSTS bypasses some deciding work a browser has to do to load a page, it helps the page load faster. It won’t make an attempt to load HTTP first and fail – it will go directly to HTTPS and get your website up on the screen as soon as possible. As far as loading times go, every millisecond counts. This swift bypass cuts out valuable (although nearly microscopic) amounts of time.

Security is another important factor. Google doesn’t want to lead people to unsecure sites, particularly if they’re aware that the site overlooked practical security features. You might have even clicked a link through Google and been greeted with an alarming red screen in the Chrome browser, warning you that Google has some concerns about the security of a site. They won’t want to point people in the direction of a website that might inevitably lead to their information being stolen. That’s why security plays such a crucial role in ranking factors.

Since HSTS adds an extra level of security, particularly by eliminating a known vulnerability, Google will see that you value the safety of your visitors. You won’t get knocked for it, and you won’t risk people getting the impression that you’re shady or utilize bad practices.

How Do I Use HSTS?

As long as you have a valid SSL certificate (which enables HTTPS), you can use HSTS. Then, add and activate an HSTS header. The HSTS header becomes active when someone has visited your website before. Their browser has to find it first, and then it won’t go looking for it ever again. For people who use the Chrome browser, this process can be bypassed. It technically works for many other browsers too, because they’ve adopted the list. If you add your website to Chrome’s HSTS preload list, the change will take effect immediately.

This Security Seems Too Complicated For Me

Fortunately for you, we can put HSTS into place for you. We’re SEO experts. We’ll get the job done while you keep working on the things that make your website great. Contact us and we’ll be happy to set things up for you.