Should you still redirect HTTP to HTTPS if it hasn't been done yet?

Why this statement now that HTTPS has become the norm?

Since 2014, Google has pushed HTTPS as a ranking signal, and Chrome has displayed aggressive alerts on non-secure sites since 2018. In 2023, over 95% of web traffic is routed through HTTPS. So why is Mueller revisiting redirects in 2024?

Because hundreds of thousands of websites have migrated to HTTPS without ever implementing permanent 301 redirects from HTTP to HTTPS. They simply activated the SSL certificate, leaving two versions of the site coexisting—a UX and SEO flaw. The statement targets those sites that carry a historical technical debt.

What is the real SEO impact of adding these redirects late?

Mueller is clear: if your site is “already well-established”, the visible SEO effect will be “probably minimal.” In other words: don’t expect a traffic surge. The HTTPS signal is already active, Googlebot is already crawling the secure version, PageRank is flowing.

What redirects fix is the residual fragmentation: external links still pointing to HTTP, outdated user bookmarks, old social shares. Without redirection, these accesses generate errors or ghost duplicates. The benefit is therefore more technical and UX-oriented than purely ranking-related.

What is HSTS and why does Mueller mention it at the end?

HTTP Strict Transport Security is a response header that tells browsers to never load the site over HTTP, even if the user explicitly types http:// in the address bar. The browser automatically forces the HTTPS version.

It is an additional layer of security that eliminates man-in-the-middle attacks during the first connection. For Google, it is also a signal of technical maturity: a site that configures HSTS shows that it takes security seriously beyond just having an SSL certificate. Mueller mentions it as a logical extension of the HTTPS migration—not a bonus, a necessity if you want to be consistent.

• HTTP → HTTPS redirects remain a good practice even if added late, but the direct SEO impact will be low on an established site.
• The main benefit is UX and technical consolidation: eliminating duplicates, capturing residual HTTP traffic, avoiding user errors.
• HSTS must be configured as a complement to force the HTTPS connection on the browser side and strengthen security.
• Googlebot already prioritizes the HTTPS version if it exists—the redirects will not fundamentally change its crawl behavior.
• This statement targets sites that have migrated to HTTPS without ever cleaning up orphan HTTP accesses.

Is this statement consistent with real-world observations?

Absolutely. We regularly see HTTPS-migrated sites that leave HTTP accessible—either by oversight or because "it works that way." The result: two URLs per page in the logs, residual duplication in Search Console, and sometimes backlinks still pointing to HTTP without being redirected. The direct SEO impact is indeed minimal if Google has already switched to HTTPS as the canonical version.

But saying "minimal" doesn't mean "none." We have observed cases where adding redirects cleaned up wasted crawl budget on ghost HTTP URLs, especially on large e-commerce sites with thousands of SKUs. Crawling becomes more efficient, and ranking signals concentrate on one version. It’s marginal but measurable with volume.

What does "probably minimal SEO effect" really mean?

It’s a deliberately cautious phrasing. “Probably” = Google does not commit. “Minimal” = do not expect gains in rankings. What Mueller doesn’t say is that the impact depends on the site context.

On a small site with 50 pages and few external backlinks, adding redirects changes absolutely nothing. On a media site with 10 years of history and thousands of links pointing to HTTP, the effect may be more tangible—not in direct ranking but in authority consolidation and crawling efficiency. [To verify]: Google does not provide any quantified metrics to assess this "minimal."

Is HSTS really necessary or just a "nice to have"?

HSTS is not optional if you want to be rigorous. Without it, a user typing http://yoursite.com in Chrome will first attempt an HTTP connection and then be redirected to HTTPS. That millisecond can be exploited by a MITM attack. With HSTS active, the browser forces HTTPS immediately, without ever touching HTTP.

For SEO, HSTS is not a confirmed ranking signal—but it is a technical quality indicator that Google values indirectly. A site that configures HSTS, preload, CSP, etc., sends a maturity signal. It’s a detail that can make the difference in ultra-competitive sectors where every micro-optimization counts.

What should you actually do if you haven't set up redirects yet?

The first step: audit residual HTTP accesses. Check in Search Console if any HTTP URLs are still indexed or crawled. Analyze your server logs to identify the volume of HTTP requests—if it’s 0.1% of traffic, it’s negligible; if it’s 10%, you're losing users and crawl budget.

Next, implement permanent 301 redirects from http://example.com/* to https://example.com/*. Set this up at the server level (Apache, Nginx, Cloudflare) or via a plugin if you are on WordPress. Test with curl -I to ensure that the redirect returns a 301 status code, not a temporary 302.

How to correctly configure HSTS without breaking your site?

Add the Strict-Transport-Security header in your web server configuration. Start with a short duration (e.g., max-age=86400, or 24 hours) to test. If everything works after a few days, move to a year (max-age=31536000).

Only enable includeSubDomains if ALL your subdomains are secured in HTTPS—otherwise you will break access to services like webmail.example.com if it’s still in HTTP. And only add preload if you are ready to remain in HTTPS permanently and submit your domain to hstspreload.org.

What mistakes should you avoid when setting up redirects?

Don’t create redirect chains: http://example.com → https://www.example.com → https://example.com/page. Each hop dilutes PageRank and slows down crawling. Redirect directly from HTTP to the final canonical version in one go.

Avoid temporary 302 redirects—they don’t transfer authority reliably. Always use permanent 301s. And test on a sample of URLs before deploying at scale: a regex error in the redirect rule can break an entire site.

• Audit residual HTTP URLs in Search Console and server logs
• Implement permanent 301 redirects from http:// to https:// at the server level
• Configure the HSTS header with max-age=31536000 after a testing phase
• Ensure that includeSubDomains is only enabled if all subdomains are secured
• Test redirects with curl -I to confirm 301 status code
• Monitor logs for 7 days after deployment to detect any errors