Google.com Begins HTTP Strict Transport Security Migration (HSTS)

Google announced Friday they are going HSTS, HTTP Strict Transport Security, for Google.com. That means anyone who tries to go to HTTP will be forced to go to HTTPS, even more than just a 301 redirect.

HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs. Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites, Google said.

Google said they “turned on HSTS for www.google.com, but some work remains on our deployment checklist.” I did check, I didn’t see HSTS on for them yet but maybe they are rolling it out slowly.

A good way to check is to use SSL Labs test and it would say “HTTP Strict Transport Security (HSTS) with long duration deployed on this server.” Here is a screen shot of this site:

click for full size

Of course, do not implement HSTS without HTTPS on your site, that is asking for it. Also, there may be some redirect confusion from GoogleBot tools with that, but do not worry.

Good luck Google going HSTS!

Forum discussion at Google+.

Go to Source
Author: barry@rustybrick.com (Barry Schwartz)

onpage seo

COMMENTS