Are Security Headers a Ranking Factor? Google Answers!

In a recent Google SEO Office Hours (when the Google team responds to user-submitted questions) a question about security headers arose.

The question was whether these headers affect the ranking of sites in Google’s search rankings.

The short answer is that they don’t. But, despite being simple, this question brings interesting insights for SEO professionals, including the importance of using data protection protocols.

In this article I will bring some of them, in addition to some tips on how to strengthen the security of a website.

Back to basics: what is a security header?

For those who are lost, let’s go to an explanation of what security headers are and their relation to the security of a website.

Generally speaking, security headers are a layer of protection whose purpose is to prevent cyber-attacks on web pages. An example is HTTP headers, which protect user data or prevent malicious scripts from being inserted into pages.

In essence, a HTTP protocol allows communication between a website and its server. This is important so that users can see the contents of a site and so that it is possible to include hyperlinks that lead to other pages. By the way, HTTP means Hypertext Transfer Protocol.

You may have noticed that some websites have URLs that start with HTTPS, right?

The “s” at the end means secure and indicates that the original protocol has encryption that scrambles messages so that only the sender and receiver can access them. The goal, again, is to prevent hackers from accessing these messages and stealing data and files.

Every page protected with HTTPS has a padlock icon and the message that browsing that site is safe.

Another important concept is the HSTS (HTTP Strict-Transport-Security) response header. It notifies browsers that the website must exclusively be accessed via HTTPS, ensuring that any future HTTP access attempts are automatically redirected to HTTPS.

Does the security header affect a site’s ranking?

As I said at the beginning, the question was raised during Google Office Hours as to whether a site using the HTTPS protocol is a factor that can place them in the first positions of the algorithm’s search.

The answer was as follows:

“No, the HSTS header does not affect Search.

This header is used to tell users to access the HTTPS version directly, and is commonly used together with redirects to the HTTPS versions.

Google uses a process called canonicalization to pick the most appropriate version of a page to crawl and index—it does not rely on headers like those used for HSTS.

Using these headers is of course great for users though.”

So, even though they are not a ranking factor, the HTTPS protocols are great because they make the website more secure and protect user data.

It is interesting to note yet another piece of information from the answer: Google uses a process called canonicalization to crawl and index websites. Have you heard of this concept?

A canonical URL tells Google’s algorithm that this is where a user should be redirected when performing a search.

One suggestion is to use the HTTPS protocol and include a canonical tag in the source code. This shows the Search Engine that the content is original — an excellent best practice for ranking.

Well, if a security header is not a ranking factor, can you leave your site without it?

No way!

Having an HTTPS protocol is not a mere differential: it is an important item for any website to protect your data and that of your users.

It is even mandatory for pages that require user login and password, such as virtual stores. E-commerces collect sensitive payment data and must offer their customers a secure environment to make purchases.

How can you make your website more secure?

In addition to using HTTPS protocols, I’ll list other good security practices for website security:

• use ssl certificates, a good choice for smaller sites or personal blog;
• host the page on secure servers and that offer good support;
• make constant backups to avoid permanent loss of data and files;
• create strong passwords for server and site administration profiles;
• adopt two-factor authentication (2FA), both in the browser and on the server;
• use WordPress plugins that help to reinforce the security of the page.

Creating a protected website is important for any brand, even if this is not directly a ranking factor for search engines.

And in any SEO strategy, it is fundamental to convey credibility and security to page visitors, who may be potential consumers of the products or services offered there.

Do you want to continue to be updated with Marketing best practices? I strongly suggest that you subscribe to The Beat, Rock Content’s interactive newsletter. We cover all the trends that matter in the Digital Marketing landscape. See you there!