HTTPS with HSTS

Also known as HSTS · Strict-Transport-Security · secure transport

Serving every page over HTTPS encrypts traffic, and the HSTS response header forces browsers to use HTTPS for all future requests to the domain.

What it is

HTTPS is HTTP over TLS, which encrypts and authenticates the connection between browser and server. HTTP Strict Transport Security (HSTS) is a Strict-Transport-Security response header that tells browsers to only connect over HTTPS for a set max-age, preventing protocol downgrade and SSL-stripping attacks.

Why it matters

HTTPS is a baseline ranking and trust signal, and browsers mark non-HTTPS pages as 'Not secure', which deters users and crawlers. AI crawlers and answer engines favor secure, canonical HTTPS URLs, so consistent HTTPS plus HSTS protects both your rankings and how your URLs are cited.

How to verify

Load the site and confirm the padlock and an https:// URL, then inspect the response headers in DevTools Network tab for Strict-Transport-Security with a max-age. Tools like SSL Labs or securityheaders.com report certificate validity and whether HSTS is correctly configured.

How to fix

Install a valid TLS certificate, redirect all HTTP traffic to HTTPS with 301s, and add a Strict-Transport-Security header such as max-age=31536000; includeSubDomains. Ensure internal links and canonicals use https:// and consider HSTS preload once you are confident every subdomain supports HTTPS.

In the checklist

This concept maps to a check in the GEO Score checklist.

Use the checklist

Related terms

Official references

External, opens in a new tab.

Put this into practice.

Work through every check by hand and turn it into a shareable GEO Score report — or scan your site automatically in seconds.