Guides · 12 min read

Why SSL and HSTS are now an AI issue, not just a security one

SSL, HSTS, and privacy policy impact whether an AI agent considers your site a secure source. Check the 7 elements.

Audit AI
Editorial · auditai.cc
May 6, 202612 minValue score 9.0/10
A dark security audit panel shows an SSL certificate, HSTS, and trust signals being read by an AI assistant.
Direct Answer

If your site has HTTP, an expiring SSL certificate, or lacks HSTS, fix this before schema.org and llms.txt, as the AI agent may not trust a site flagged as risky by the browser. In practice, check HTTPS, the certificate expiration date, HSTS `max-age`, CSP, `nosniff`, iframe protection, and the privacy policy.

Copy this template: "If my site has [HTTP/missing HSTS/expiring SSL], I first fix [HTTPS + certificate/HSTS/headers], because [AI and browsers need a secure channel]. In practice, I check [URL, certificate, HTTP headers, privacy policy page]."

A client asks ChatGPT, "Is this supplement store reliable?" The agent checks the product description, company data, reviews, but along the way may encounter a simple problem: the site operates over HTTP or has a certificate error. For a human, it’s a "missing padlock". For a system that must not guide the user to a risky place, it’s a reason for caution.

Why It's Important in 2026

SSL is no longer just an addition to the payment form. In 2026, a site competes not only for clicks on Google but also for a spot in AI responses: in ChatGPT, Gemini, Perplexity, Claude, or shopping agents.

Google confirmed HTTPS as a lightweight ranking signal back in 2014. Chrome is going further: according to the Google Security Blog, starting October 2026, Chrome 154 will by default warn users when they first access a public site without HTTPS. That same post states that about 95-99% of navigation in Chrome uses HTTPS, so a public store on HTTP appears as an exception, not the norm.

This doesn't mean that OpenAI, Anthropic, or Google published a simple table saying "missing HSTS = minus 15 points". Such a table does not exist. The sense is more practical: if a site is difficult to securely retrieve, has a certificate error, or mixes HTTP with HTTPS, it becomes a worse candidate for a source of answers.

Audit AI treats Security as one of the categories in the AI readiness audit. Its own checkpoint registry includes 7 checks: HTTPS with a certificate valid for more than 30 days, HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and CORS for SaaS/API.

How This Differs from Traditional Security

The traditional approach states: SSL protects payment, forms, and customer passwords. The AI-ready approach states: SSL, HSTS, and security headers signal to the agent that the site is a stable, secure, and predictable source of data.

SEO asks: "Can Google index the site?" AI readiness asks: "Can the agent safely retrieve the site, understand it, and recommend it to the user without introducing risk?"

An e-commerce example: a cosmetics store has good descriptions and Product schema, but the certificate expires in 6 days. A human might not notice this. An automated audit should flag this as a risk, because after expiration, the site may become unavailable to some crawlers and users.

An example from services: a physical therapy office has a booking form over HTTP. The agent might find the offer, but shouldn’t encourage the user to enter their phone number and health issue description in an unsecured form.

Step-by-step: What to Check First

  1. Check that every important subpage works over HTTPS
    Bad
    "We have SSL because the homepage has a padlock."
    Better
    "The homepage, cart, payment, contact, terms, privacy policy, and the 10 most important products respond over HTTPS without warnings."

    In a shoe store, check at minimum: `/`, shoe category, product page, cart, checkout. In a dental office: `/`, pricing, services, contact, booking.

    The simplest test: enter the address with `http://` and see if it automatically redirects to `https://`. Then check if there is no certificate error message in the browser.

    nginx.conf
    server {
  listen 80;
  server_name yourdomain.pl www.yourdomain.pl;
  return 301 https://$host$request_uri;
}

    This snippet redirects HTTP traffic to HTTPS in Nginx. It does not replace the certificate; it merely enforces a secure address.

  2. Check the expiration date of the SSL certificate
    Bad
    "The certificate was set up by our hosting some time ago."
    Better
    "The certificate expires in more than 30 days, and renewal is automatic."

    Audit AI checkpoint 5.1 warns when the certificate is set to expire in less than 30 days. This is a reasonable operational threshold: it gives time to react before a client or crawler sees a connection error.

    For a supplement store, an SSL error on the weekend can block advertising campaigns and sales. For an accounting firm, it may block the contact form where the client enters their company details.

    If you're using hosting like LH.pl, home.pl, cyber_Folks, or nazwa.pl, usually look for sections labeled "SSL", "certificates", "Let's Encrypt", or "domain security". The goal is simple: turn on auto-renew.

  3. Enable HSTS only after HTTPS is working everywhere
    Bad
    "We add HSTS because it's in the guide."
    Better
    "First, we check all subpages and subdomains, then we enable HSTS with `max-age=31536000`."

    HSTS, or `Strict-Transport-Security`, tells the browser that a given domain should only be opened via HTTPS. MDN also describes an important consequence: with subsequent connections, the browser does not allow the user to bypass certain certificate errors.

    nginx.conf
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    Do not enable `includeSubDomains` if you have an old subdomain running on HTTP, such as `panel.yourdomain.pl`. First, fix it or disable it. HSTS is a good security measure, but if implemented poorly, it can cut off some traffic.

  4. Add Content-Security-Policy in Report-Only mode
    Bad
    "We don’t have CSP because it might break something."
    Better
    "First, we run CSP Report-Only for 7 days, check for errors, then enable the actual policy."

    CSP isn’t strictly about AI, but it says a lot about site hygiene. If a store loads scripts from 18 random domains, iframes from an abandoned plugin, and old widgets, the agent has more noise, and the user faces greater risk.

    nginx.conf
    add_header Content-Security-Policy-Report-Only "default-src 'self'; img-src 'self' data: https:; script-src 'self'; report-uri /csp-report" always;

    For a cosmetics store, exceptions might include payment gateways, review systems, and email tools. For a beauty salon: booking calendar, map, and review widget. List them before you start blocking.

  5. Add three small headers: nosniff, frame protection, referrer
    Bad
    "We have SSL; the rest doesn’t matter."
    Better
    "We add `X-Content-Type-Options: nosniff`, frame protection, and `Referrer-Policy`."

    These headers rarely come up in conversations with store owners, but in an audit, they are quick to check and usually quick to fix.

    nginx.conf
    add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    `nosniff` limits incorrect file type interpretations. `X-Frame-Options` reduces the risk of clickjacking. `Referrer-Policy` controls how much referring address info you pass along.

  6. Organize your privacy policy and company data
    Bad
    "The privacy policy is in the footer, probably still from a template."
    Better
    "The privacy policy has a current date, administrator details, a list of tools, contact basis, and a link from every subpage."

    The AI agent does not assess trustworthiness solely based on the certificate. It also looks for signals that are obvious to humans: does the company provide information, is there a terms of service, is it clear who is responsible for the form?

    For a furniture store, important information would include seller data, return and delivery policies. For a physical therapist: data administrator, purpose for collecting phone numbers, contact method, and information about bookings.

  7. Check CORS if you have an application, API, or client panel
    Bad
    "CORS is set to a wildcard because then everything works."
    Better
    "The API allows only specific domains and methods that you actually use."

    CORS is most important for SaaS, integrations, calculators, and client panels. If in the future the agent needs to call an endpoint, e.g., checking an appointment or fetching an order status, the API must be accessible, but not indiscriminately open to everyone.

    nginx.conf
    location /api/ {
  add_header Access-Control-Allow-Origin "https://yourdomain.pl" always;
  add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
}

    A store without a public API can put CORS on the back burner. A SaaS application or booking system should check this right away.

Ready-made SSL + HSTS Audit Template

Copy this table into a document and fill it out for your site.

| Element | Minimum | When to fix immediately | | -------------- | ----------------------------------------------- | -------------------------------------- | | HTTPS | every important subpage works without warnings | the site runs on HTTP | | SSL expiry | certificate valid for more than 30 days | less than 30 days or certificate error | | HSTS | max-age=31536000 after thorough HTTPS testing | missing HSTS after implementing HTTPS | | CSP | first Report-Only, then enforced | no script controls on a form page | | Privacy Policy | current and linked in the footer | empty template or no page |

Implementation Checklist

Implementation Checklist · 0/18 done
  • Homepage works over HTTPS.
  • `http://yourdomain.pl` redirects to `https://yourdomain.pl`.
  • Both `www` and non-`www` lead to one version.
  • SSL certificate does not expire in 30 days.
  • Auto-renew of the certificate is enabled in hosting.
  • No "Not Secure" error in Chrome.
  • No mixed content, i.e., images or scripts loaded over HTTP.
  • HSTS is added only after checking the entire site.
  • HSTS has `max-age` of at least 31,536,000 seconds.
  • `includeSubDomains` is used only when subdomains also have HTTPS.
  • CSP first runs in Report-Only mode.
  • `X-Content-Type-Options` has the value `nosniff`.
  • The page has iframe protection: `X-Frame-Options` or `frame-ancestors`.
  • `Referrer-Policy` does not expose full addresses unnecessarily.
  • The privacy policy is current and accessible from the footer.
  • Contact form and checkout only work over HTTPS.
  • API or booking forms do not have unintended `Access-Control-Allow-Origin: *`.
  • After changes, an audit was run on mobile and desktop.

7-day Mini Plan

  1. Check the 10 most important URLs: homepage, product/service, cart or form, contact, privacy policy.

  2. Enable or renew SSL certificate and redirect HTTP to HTTPS.

  3. Remove mixed content, i.e., old `http://` addresses in images, scripts, and links.

  4. Enable HSTS without `preload`; add `includeSubDomains` only after checking subdomains.

  5. Add `nosniff`, `X-Frame-Options`, and `Referrer-Policy`.

  6. Enable CSP in Report-Only mode and document which external services are actually needed.

  7. Update the privacy policy and run an AI-ready audit at [auditai.cc](https://auditai.cc).

Common Mistakes

the certificate works only for `www`, and the store links the non-`www` version. Effect: some visits hit an error or an additional redirect.
HSTS with `includeSubDomains` while there’s an old subdomain on HTTP.
headers.http
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

This header is wrong if `blog.yourdomain.pl` or `panel.yourdomain.pl` still operates only over HTTP.

the privacy policy is hidden or outdated. If the agent needs to recommend a booking form, and the page doesn’t say who collects the data, the trust signal is weak.
CSP immediately in blocking mode. It’s better to start with `Content-Security-Policy-Report-Only`, because otherwise, you might disable payments, maps, or review widgets.

How to Measure Effects

Don’t count only Google rankings. In this context, technical and operational signals matter.

Check if the Security audit transitions from F/C to A or A+. Look in the server logs to see if the number of 3xx/4xx errors increases after redirects. Check if forms and checkout work after enforcing HTTPS.

In the coming weeks, also monitor branded queries, visits to the privacy policy, and the number of SSL error messages in hosting tools. If you run a store, set an alert 30 days before the certificate expires.

Who This Is Not a Priority For

Do not start with HSTS preload if you have a distributed infrastructure and do not know which subdomains still run on HTTP. Do not begin with a strict CSP if the checkout relies on many external scripts and you lack a testing environment.

If you have a simple business card site without forms, start with HTTPS, a certificate, and a privacy policy first. CSP and CORS can wait a few days. If you operate a store, bookings, payments, or a client account, don't put this off.

FAQ

Does AI really check the SSL certificate?
Public documentation of models usually does not describe such a simple scoring method. However, in practice, a crawler or agent must retrieve the site securely. If the certificate is faulty, expired, or the site operates only over HTTP, the risk increases that the system will bypass the site or treat it as a less trustworthy source.
Is HSTS required for a small store?
It is not legally required as a standalone feature, but it is a good technical standard after implementing HTTPS. At Audit AI, it has its own checkpoint because it reduces the risk of reverting to unsecured HTTP.
Is the padlock in the browser enough?
No. The padlock indicates that the connection is encrypted, but it does not say whether the certificate will expire in a week, if HSTS is active, if the page has secure headers, and if there is an updated privacy policy.
Can I do this without a programmer?
HTTPS and auto-renew can often be enabled in the hosting panel. HSTS, CSP, and additional headers depend on the hosting, Cloudflare, or server configuration. If you do not have access to the setup, send the administrator a specific checklist from this article.

Summary

SSL and HSTS will not replace good product descriptions, schema.org, or FAQ content. However, they are fundamental: without a secure channel, the AI agent has fewer reasons to trust the site and guide the user further. Start with HTTPS, a certificate valid for more than 30 days, and HSTS, and only then refine CSP and other headers. If you want to check which elements are blocking the result, run an audit at auditai.cc.

Sources

Google Security Blog, "HTTPS by default"blog.google/security/https-by-defauGoogle Search Central Blog, "HTTPS as a ranking signal"developers.google.com/search/blog/2014/08/https-as-ranking-signalMDN, "Strict-Transport-Security header"developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-SecurityMDN, "Secure contexts"developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts
Continue reading
A split store screen shows a rich human view and a simplified HTML structure read by AI.
GuidesHuman vs AI: What Does ChatGPT Really See When It Visits Your Store
May 6, 202612 min read
Four glowing e-commerce shields for PrestaShop, WooCommerce, Shoper, and Shopify emit purple data beams toward a hovering AI assistant.
GuidesPrestaShop vs WooCommerce vs Shoper vs Shopify: Which Platform Communicates Best with AI?
May 6, 202615 min read
Question and answer cards are connected to a structured data graph while an AI assistant selects one answer.
Structured DataFAQ Schema + Answer Capsules: How to Be Quoted by AI in Answers
May 6, 202613 min read

Check whether AI cites your site

AI-ready audit in 60 seconds: GEO, llms.txt, Schema, content structure. We tell you what to fix and in which order.

Run free audit
60 secondsNo signup50 checkpoints