The choice between using “www” or not in a website’s address is primarily a matter of preference and branding. However, regardless of the chosen option, it is essential to ensure that the site correctly responds to both versions and that there is proper redirection to the primary version.
WWW vs. Non-WWW
From a technical perspective, “www” is a subdomain, whereas the non-“www” version directly refers to the root domain. Some organizations prefer to include “www” for compatibility and DNS structuring reasons, while others opt for the non-“www” version for shorter and more modern URLs.
Regardless of the choice, a 301 redirect should be implemented to avoid content duplication and ensure that search engines index only one version of the site.
HTTPS: A Mandatory Requirement
Unlike “www,” HTTPS is mandatory. Web security demands that all websites use HTTPS to protect user data, improve SEO, and avoid security warnings in modern browsers.
Proper HTTPS Redirection: Step by Step
Redirections should be implemented strategically, particularly due to the HSTS (HTTP Strict Transport Security) header, which instructs browsers to always use HTTPS. To avoid issues, ensure the correct redirection order:
- Redirect HTTP to HTTPS (e.g., from http://example.com to https://example.com).
- Redirect to the preferred version (with or without WWW) (e.g., from https://example.com to https://www.example.com or vice versa).
All redirections should be permanent (using HTTP 301 status codes) to signal to search engines that the change is permanent.
Recommended HSTS Configuration
Once the website correctly responds via HTTPS and is stable, it is recommended to configure HSTS to enhance security.
HSTS is a crucial security measure that protects users against protocol downgrade and man-in-the-middle attacks (MITM). Without HSTS, an attacker could force an insecure connection via HTTP and potentially collect or modify data. By enabling HSTS, the browser is instructed to always establish secure connections via HTTPS, significantly reducing this risk.
A typical HTTP header configuration should be:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Explanation of parameters:
- max-age=31536000: Keeps HSTS active for one year (in seconds).
- includeSubDomains: Applies the rule to all subdomains.
- preload: Indicates that the site can be included in browsers’ HSTS preload list.
Before activating HSTS, it is crucial to ensure that all subdomains use HTTPS to prevent accessibility issues.
Additionally, we recommend submitting the domain to Google’s HSTS preload list by verifying proper HSTS configuration and registering it at https://hstspreload.org.
Websites with WWW, or not, is a branding decision, but the technical implementation must be correct to avoid SEO and accessibility issues. On the other hand, HTTPS is mandatory, and its implementation should be complemented by proper redirections and HSTS to strengthen website security. By following these best practices, a secure and optimized experience is ensured for both users and search engines.
If you have any questions, feel free to contact us. MindSEO has a team of specialists always available to help.
