Security Headers and SEO: What Actually Affects Rankings
HTTPS is a lightweight ranking signal Google confirmed in 2014. HSTS, CSP, X-Content-Type-Options and Referrer-Policy are not ranking factors, but they protect the trust and Safe Browsing status that indirectly govern SEO.
Exactly one security-related item is a confirmed Google ranking signal: HTTPS, which Google announced in 2014 as a lightweight signal affecting historically under 1% of queries. HSTS, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy are not ranking factors. They matter for SEO indirectly, by protecting the HTTPS signal, the Safe Browsing status, and the user trust that all sit upstream of rankings. This guide is honest about which is which.
HTTPS: the one direct signal
Google confirmed HTTPS as a ranking signal in August 2014 and has never reversed the position. The handbook (Ch.9) records it as a lightweight tie-breaker: it influenced a small fraction of queries at launch and Google has never claimed it outweighs relevance or content quality. Treat it as a hygiene requirement, not a growth lever.
The correct HTTPS setup is unglamorous and non-negotiable: a valid certificate, a 301 redirect from every HTTP URL to its HTTPS equivalent, a canonical pointing at the HTTPS version, and no mixed content. HTTPS should never be blocked in robots.txt. Getting this wrong is far more damaging than the signal is helpful — a broken certificate triggers a browser interstitial that stops most users cold, and HTTPS-to-HTTP canonical or redirect mistakes can make Google prefer the insecure version.
HSTS: making HTTPS unconditional
Strict-Transport-Security (HSTS) is not a separate ranking factor. It is the mechanism that turns HTTPS from best-effort into guaranteed. Once a browser has seen the header, it refuses to connect to the domain over HTTP for the entire max-age window, closing the brief SSL-stripping gap on the first bare-domain visit before your 301 fires. In that gap, an on-path attacker can serve altered content, inject links, or redirect traffic — outcomes with real indexing and ranking harm.
Strict-Transport-Security: max-age=31536000; includeSubDomains
Deploy it only after HTTPS is fully live: setting HSTS mid-migration locks users out of any remaining HTTP pages for the whole max-age period. Add includeSubDomains after every subdomain serves valid HTTPS, and consider the preload list once stable. Crawlinx flags an HTTPS page with no HSTS header as security.missing_hsts.
Mixed content and forms on HTTP
Mixed content — an HTTPS page loading an image, script, or stylesheet over HTTP — undermines the padlock and, for active mixed content like scripts, is blocked outright by browsers, which can break rendering. Since Google indexes the rendered DOM, a script blocked as mixed content can strip functionality or content from what Google sees, so this is an indexing concern as well as a security one.
A form that submits over HTTP is worse. Browsers mark HTTP form fields with a visible "Not secure" warning, and any page collecting data over plain HTTP is a Safe Browsing and trust liability. Crawlinx flags this as security.form_on_http. Fix it by serving both the page and its form action over HTTPS.
Headers that protect trust, not rankings
The remaining headers have no demonstrated ranking weight. Their SEO value is entirely defensive: they reduce the chance of the compromise, defacement, or Safe Browsing flag that would tank a site far more than any header could lift it.
Content-Security-Policy (CSP) restricts which sources a page may load scripts, styles, and other resources from. Its SEO relevance is that it is the strongest single defense against injected-script attacks — the mechanism behind pharma-hack spam, cloaked redirects, and content injection that get sites manually penalized or Safe-Browsing-flagged. A well-scoped CSP makes those injections fail. The tradeoff: an overly strict CSP can block your own render-critical scripts, which would harm what Google renders, so test it carefully. Crawlinx flags a missing policy as security.missing_csp.
X-Content-Type-Options: nosniff stops browsers from MIME-sniffing a response into a type the server did not declare, closing a class of attacks where a file uploaded as one type is executed as another. It is a one-line header with no downside. Crawlinx flags its absence as security.missing_x_content_type.
X-Content-Type-Options: nosniff
X-Frame-Options (or the CSP frame-ancestors directive) prevents your pages from being embedded in a frame on another site, defeating clickjacking. There is no ranking effect, but clickjacked pages are a trust and phishing risk. Crawlinx flags this as security.missing_x_frame_options.
Referrer-Policy controls how much of your URL is sent in the Referer header when a user clicks out. It has no ranking impact and does not affect how Google attributes referral data in Search Console, which comes from Google's own instrumentation. It is a privacy hardening measure — a sensible strict-origin-when-cross-origin avoids leaking full URLs (including any query-string tokens) to third parties. Crawlinx flags a missing policy as security.missing_referrer_policy.
A related outbound risk: links using target="_blank" without rel="noopener" let the destination page script your tab via window.opener. Modern browsers default to noopener, but explicit rel="noopener noreferrer" is still the safe practice. Crawlinx flags unsafe cross-origin links as security.unsafe_cross_origin_links.
Where security meets SEO
The honest through-line: only HTTPS is a ranking factor, and a minor one. The other headers matter because a compromised or untrusted site loses rankings through consequences these headers prevent — a Safe Browsing flag that removes a site from results with a full-page browser warning, an injection that gets a site manually penalized, or a certificate failure that stops users before they reach the content. For YMYL sites, where Google's quality systems weight trust most heavily (handbook Ch.5, and our E-E-A-T guide), a visibly insecure site also erodes the human trust signals reviewers and users look for.
The practical priority order: HTTPS everywhere with valid certificates and correct redirects first; no mixed content and no forms on HTTP second; then HSTS to harden HTTPS; then nosniff, a scoped CSP, framing protection, and a referrer policy as low-cost hardening.
How Crawlinx detects these
Crawlinx inspects response headers on every crawled URL and flags a missing HSTS header on HTTPS pages (security.missing_hsts), a missing Content-Security-Policy (security.missing_csp), a missing X-Content-Type-Options (security.missing_x_content_type), a missing X-Frame-Options (security.missing_x_frame_options), and a missing Referrer-Policy (security.missing_referrer_policy). It flags forms posting over HTTP (security.form_on_http) and unsafe target="_blank" links (security.unsafe_cross_origin_links). These are checked at NOTICE severity because they are trust and safety signals, not ranking blockers — see where they sit in the full technical SEO audit checklist.
Takeaway
Serve HTTPS correctly and you have captured the only confirmed ranking signal in this group. Everything else — HSTS, CSP, nosniff, frame protection, referrer policy — earns its place by protecting the trust, rendering integrity, and Safe Browsing status that keep a site rankable. None will lift rankings on their own; each prevents a loss that would.
Audit your own site — free
77 checks, internal PageRank, render-diff. No signup, results in ~30s.