AEO/EXPERT v4.2 · LIVE
NL [ EN ]
BLOG
TECHNICAL SEO PROTOCOLS & STANDARDS 25 Jan 2026 9 min read

HTTPS and HSTS: security signals that AI values

AN
Admin AEO Expert
HTTPS and HSTS: security signals that AI values — Technical SEO

Why security is an AI signal

When an AI model selects sources for generating an answer, it weighs dozens of factors. One of those factors is the reliability of the technical infrastructure. A website running on HTTPS with strict security headers radiates more trust than a site still running on HTTP or missing security headers. This is not theory: research into how language models select sources shows that protocol security is one of the signals that indirectly determines trust in a source.

For search engines, HTTPS has been a ranking factor for years. Google confirmed this in 2014. But its importance now extends beyond SEO. AI crawlers and language models that index the web flag HTTP sites as potentially unsafe. This can lead to your content being selected less often as a source for AI-generated answers. Combined with other trust signals, such as E-E-A-T signals, HTTPS forms a baseline requirement for a credible online presence.

IMPORTANT

In 2026, no serious website should still be running on HTTP. Yet according to measurements, a significant percentage of sites still operate without a valid SSL configuration or with missing security headers.

Configuring HTTPS correctly

Implementing HTTPS starts with obtaining an SSL/TLS certificate. Thanks to services like Let's Encrypt, this is possible for free and can be automated. But just installing a certificate is not enough. The configuration must also be correct to genuinely inspire trust.

A common mistake is installing a certificate without correctly setting up the full certificate chain. When the intermediate certificate is missing, some browsers show a security warning while others accept the certificate. This leads to an inconsistent experience and may cause AI crawlers to mark your site as unreliable. Always verify that the full chain is correctly configured using a tool like SSL Labs.

Setting up HTTP to HTTPS redirect

A correct redirect from HTTP to HTTPS is essential. Without a redirect, your site is accessible on both protocols, leading to duplicate content problems and confusing signals for AI crawlers.

# Nginx: redirect all HTTP traffic to HTTPS
server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://example.com$request_uri;
}

# Apache: redirect all HTTP traffic to HTTPS
<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>

# .htaccess (if you do not have access to vhost configuration)
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  • Use TLS 1.2 or higher. TLS 1.0 and 1.1 are considered insecure and are blocked by modern browsers.
  • Configure an automatic redirect from HTTP to HTTPS at the server level so no visitor lands on the insecure version.
  • Ensure all internal links, images and scripts are loaded via HTTPS to prevent mixed-content warnings.
  • Renew certificates automatically. An expired certificate causes a security warning that deters both visitors and bots.
  • Test your configuration with SSL Labs (ssllabs.com/ssltest) and aim for an A+ score.
READ MORE

Dive deeper: Security headers for AI trust | Robots.txt for AI | OAuth discovery for AI agents

HSTS: the next step in transport security

HTTP Strict Transport Security (HSTS) is a security mechanism that instructs browsers to communicate with your website exclusively via HTTPS. Once a browser receives the HSTS header, it will automatically upgrade every HTTP connection to HTTPS for the specified duration, before the request is even sent. This protects against man-in-the-middle attacks and protocol downgrade attacks.

# Strict-Transport-Security header
# max-age: duration in seconds (31536000 = 1 year)
# includeSubDomains: applies to all subdomains too
# preload: register for the HSTS preload list

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

# Nginx configuration
server {
    listen 443 ssl;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
}

# Apache configuration
<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>

The max-age parameter determines how long browsers remember the HSTS instruction. A value of 31536000 seconds equals one year. Start with a short period like 300 seconds to test whether everything works correctly, then increase to one year.

HSTS preload list

The HSTS preload list is a registry maintained by the Chromium project and used by all major browsers. Websites on this list are always loaded via HTTPS, even on the very first visit. This eliminates the vulnerability of the first HTTP request before the HSTS header has been received. You can submit your site at hstspreload.org.

Implementing HSTS step by step

It is wise to roll out HSTS in phases to prevent problems. If your site does not yet fully work on HTTPS (mixed content, subdomains on HTTP), a rushed HSTS implementation can lock visitors out.

  1. Start with max-age=300 (5 minutes) without includeSubDomains. Test that all pages load correctly via HTTPS.
  2. Increase to max-age=86400 (1 day). Monitor for mixed-content warnings in the browser console.
  3. Add includeSubDomains once all subdomains correctly run on HTTPS.
  4. Increase to max-age=31536000 (1 year) when everything runs stably.
  5. Add preload and submit to hstspreload.org for inclusion in the preload list.

Additional security headers for trust

Besides HSTS, there are more security headers that strengthen the trust profile of your website. AI crawlers and scanners evaluate these headers as part of the technical quality of a site. For a comprehensive treatment of all relevant headers, see our article on security headers that build AI trust.

# Content Security Policy: restricts resources the page may load
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;

# Prevents the browser from guessing MIME types
X-Content-Type-Options: nosniff

# Prevents your site from being loaded in an iframe (clickjacking)
X-Frame-Options: DENY

# Sends referrer information only to own domain
Referrer-Policy: strict-origin-when-cross-origin

# Restricts access to browser APIs
Permissions-Policy: camera=(), microphone=(), geolocation=()

Headers that AI crawlers evaluate

  • Strict-Transport-Security confirms that the site consistently enforces HTTPS.
  • Content-Security-Policy shows that the site actively protects against cross-site scripting and data injection.
  • X-Content-Type-Options prevents MIME sniffing and demonstrates technical diligence.
  • Referrer-Policy protects visitor privacy and shows the site is privacy-conscious.
  • Permissions-Policy limits unnecessary browser API access, indicating a deliberate security strategy.

The relationship between HTTPS and robots.txt

Your robots.txt configuration must account for your HTTPS implementation. If your site is accessible via both HTTP and HTTPS, both versions need a robots.txt file. AI crawlers fetch robots.txt from the protocol on which they discover your site. A missing robots.txt on the HTTPS version can mean AI bots have no crawl instructions and may skip your site entirely.

Testing and monitoring security

It is not enough to set up security headers once. Regular monitoring is essential to ensure your configuration remains current and correct.

  1. Use SSL Labs (ssllabs.com/ssltest) to test your TLS configuration. Aim for an A+ rating.
  2. Check your security headers with securityheaders.com. This tool gives a score from A+ to F and shows exactly which headers are missing.
  3. Monitor your certificate expiration and set up automatic renewal via Let's Encrypt or your hosting provider.
  4. Scan your site for mixed-content issues using the browser console (look for "Mixed Content" warnings).
  5. Test the HSTS preload status of your domain at hstspreload.org.

Impact on the AI-Ready score

In our AEO scanner, we check both the presence of HTTPS and the quality of security headers. A site that correctly implements HTTPS with a valid HSTS header scores significantly higher on the trust profile than a site that only has a basic SSL certificate. The combination of HTTPS, HSTS with preload and additional security headers is a strong signal to both search engines and AI models that your site is professionally managed. This directly ties into the broader AEO principles we described earlier.

Key takeaways

  • HTTPS is a baseline requirement for AI trust: AI crawlers flag HTTP sites as potentially unsafe.
  • HSTS prevents protocol-downgrade attacks and enforces HTTPS at the browser level, even for the first request (with preload).
  • Implement HSTS gradually: start with a short max-age and build up to one year with preload.
  • Additional security headers like CSP, X-Content-Type-Options and Permissions-Policy strengthen the trust profile with AI models.
  • Regular monitoring via SSL Labs and securityheaders.com is essential to keep your configuration current.

Frequently asked questions

Is HTTPS really a ranking factor for AI models?

Yes. Although AI models do not have explicit "ranking factors" like Google, they do weigh the reliability of sources. HTTPS is one of the technical signals that contribute to the trust profile of your site. Sites on HTTP are considered less reliable, leading to a lower chance of being cited in AI-generated answers.

Can an expired SSL certificate hurt my AI visibility?

Absolutely. An expired certificate generates a browser warning that deters AI crawlers. Most crawlers abort the connection on an SSL error and do not index the page. Always set up automatic renewal via Let's Encrypt or your hosting provider to prevent this.

What is the difference between HSTS and a regular HTTPS redirect?

An HTTPS redirect intercepts traffic at the server level and forwards visitors. But on the first request, an insecure HTTP request is still sent. HSTS instructs the browser to make future requests directly via HTTPS, without the HTTP detour. With HSTS preload, this applies even to the very first visit.

Does HSTS preload have downsides I should consider?

The main downside is that inclusion in the preload list is difficult to reverse. If your site has problems with HTTPS after inclusion (for example mixed content on subdomains), visitors can no longer reach your site via HTTP as a fallback. Therefore, test thoroughly before activating preload.

Which security headers matter most for my AI score?

Strict-Transport-Security (HSTS) is the most important. Then come Content-Security-Policy, X-Content-Type-Options and Referrer-Policy. These four headers together form a solid foundation. Permissions-Policy is a valuable addition but less critical. Start with HSTS and build from there.

Security is not an expense, it is an investment in trust. And trust is exactly what AI models look for when selecting sources.

How does your website score on AI readiness?

Get your AEO score within 30 seconds and discover what you can improve.

Free scan

TAGS

#vertrouwen #beveiliging #HTTPS #HSTS

SHARE THIS ARTICLE

LINKEDIN X
NEWSLETTER

Test your website

Discover how AI-ready your website is with our free scanner.

Start scan

RELATED ARTICLES