Google’s John Mueller said this morning on Reddit that even if you have HSTS (HTTP Strict Transport Security) which kind of by default forces a domain to go from HTTP to HTTPS, that you should still set up the 301 redirects from HTTP to HTTPS as well.
John said “Yes, always redirect if you can.” He added:
HSTS is great to add on top of redirecting & HTTPS, but I’d recommend not doing that if you’re just moving the site over for the first time. It’s hard to roll back & fix issues, and you really need time to make sure that you have everything set up properly first. Take your time to get HTTPS right first, then think about the implications of HSTS.
So when migrating to HTTPS, first do redirects and then after a few months or so when everything is set you can set up HSTS, but no need to remove the redirects you set in place already.
Back in 2015, we reported that Google treats HSTS as a redirect of some sorts. But Google has warned folks about taking it slow with HSTS configurations in the past.
Hat tip to:
Question: Do you still need to redirect HTTP pages if you have HSTS set up? @JohnMu confirms the answer on @rBigSEO just now (TL;DR: Yes, you do) https://t.co/yq6aorJuMj #HSTS #TechSEO
— Colin McDermott (@colinmcdermott) July 19, 2018
Forum discussion at Reddit.