How Google handles 307/HSTS redirects is thoroughly explained in the latest ‘Ask Google Webmasters’ video with John Mueller.
Specifically, Mueller addresses the following question:
“How does Googlebot interact with HSTS/307s?”
An HSTS redirect can be used to force browsers to visit the HTTPS version of a page.
These types of directs can be useful in cases where someone links to an HTTP URL instead of an HTTPS URL.
When the link is clicked on, the HSTS/307 redirect will ensure the visitor lands on the HTTPS URL.
That’s what happens when browsers interact with 307’s. What happens when Googlebot does?
Here’s what Mueller says:
“In short, [Googlebot] doesn’t interact with them. 307 redirects are generally not real redirects. So what does that mean?
Well when you make a site HTTPS you can optionally use HSTS. HSTS tells users to only get the HTTPS version of a page.
So, when a user enters a URL, or clicks on a link that would otherwise go to HTTP, the browser remembers the HSTS and goes directly to the HTTPS version.”
If a site owner uses the URL Inspection tool on a page with HSTS, they will see that it has a 307 redirect in place.
However, Mueller emphasizes HSTS acts like a redirect, but isn’t a true redirect.
It’s not a true redirect as only browsers are capable of seeing a 307; it doesn’t mean anything to Googlebot.
When Googlebot crawls a HTTP page with HSTS, it will not be redirected to the HTTPS version as a browser would.
“And that’s fine,” Mueller adds.
Of course, that’s only fine if the HTTPS URLs are indexed and crawlable. HSTS is not a tool for getting links discovered.
If you’re migrating from HTTP to HTTPS, for example, HSTS will not help Google discover your new links. For that you will have to use proper 301 redirects.
HSTS is an optional tool that be used in conjunction with a true redirect in order to be absolutely sure users are landing on secure pages.
Here is the remainder of Mueller’s response:
“To make it clear what’s happening – it acts like it was a redirect. Chrome calls this a 307 redirect. So, if you use Chrome, and you see a 307 result code with a tool, it’s not really there.
When it comes to Googlebot, we try to crawl URLs with a fresh slate. So we wouldn’t keep the HSTS list, and rather just directly access the HTTP URL directly.
If that URL redirects, which is usually the case with an HTTP and HTTPS site, we would follow that. So, in short, Googlebot doesn’t see the 307 that you’d see in the browser. And that’s fine.”
See the full video below (there are some fun bloopers at the end):