Google on 307 / HSTS redirects (HTTP to HTTPS)

How Google handles 307 / HSTS redirects is fully explained in the latest “Ask Google Webmasters” video with John Mueller.

In particular, Müller addresses the following question:

“How does Googlebot interact with HSTS / 307s?”

An HSTS redirect can be used to force browsers to go to the HTTPS version of a page.

These types of directives can be useful in cases where someone points to an HTTP URL instead of an HTTPS URL.

When you click on the link, the HSTS / 307 redirect ensures that the visitor lands on the HTTPS URL.

This is what happens when browsers interact with 307. What if Googlebot does this?

This is what Müller says:

“In summary, [Googlebot] do not interact with them. 307 redirects are generally not real redirects. What does that mean?

When creating a site HTTPS, you can optionally use HSTS. HSTS instructs users to only get the HTTPS version of a page.

When a user enters a URL or clicks a link that would otherwise lead to HTTP, the browser remembers the HSTS and goes straight to the HTTPS version. “


Read on below

When a website owner uses the URL inspection tool on a page with HSTS, it will determine that there is a 307 redirect.

However, Müller emphasizes HSTS acts like a redirect, but it’s not a real redirect.

It’s not a real redirect as only browsers can see a 307. That doesn’t mean anything to Googlebot.

When Googlebot crawls an HTTP page using HSTS, it is not redirected to the HTTPS version like a browser would.

“And that’s okay,” adds Müller.

Of course, this is only okay if the HTTPS URLs are indexed and crawlable. HSTS is not a tool for discovering links.

For example, if you’re migrating from HTTP to HTTPS, HSTS won’t help Google discover your new links. For this you need to use the correct 301 redirects.


Read on below

HSTS is an optional tool that is used in conjunction with a real redirect to be absolutely sure that users land on safe pages.

Here is the rest of Müller’s answer:

“To make it clear what is happening – it acts like a forwarding. Chrome calls this a 307 redirect. So if you’re using Chrome and you see a 307 result code with a tool, it doesn’t actually exist.

When it comes to Googlebot, we try to crawl urls with a new slate. So instead of keeping the HSTS list, we would access the HTTP URL directly.

If this URL redirects, which is usually the case with an HTTP and HTTPS site, we would follow that. In short, Googlebot doesn’t see the 307 that you would see in the browser. And that’s fine. “

Check out the full video below (there are some funny goofs at the end):