Unless you’ve recently had your website security upgraded, chances are it is vulnerable. For most websites there is a momentary window of opportunity for hackers to bust it open if they test its ability to redirect from the http:// to https:// address.
It is a cat-and-mouse game of shoring up against hackers, for them to find a new way, that you must defend. Don’t expect your website host to be doing this for you. It’s for you to push them into taking action, regularly.
This exploit, obviously more commonly exploited during this COVID-19 era, is easily guarded against by implementing HTTP Strict Transport Security (HSTS).
To a skilled hacker, most websites have a vulnerability when switching traffic from HTTP to HTTPS. There is a moment during this switch (done by your website using a 301 redirect) where a hacker can implement a man-in-the middle attack that prevents your site from continuing with HTTPS. It’s then easy to sniff and open content.
HSTS prevents this and it is relatively simple to implement. Sites that have multiple integrations and pull content from multiple sources can be a little trickier as each source needs to be setup to be handled by the HSTS directs.
Quick analogy comparing your home to your website.
Think of the front door on your home as:
http:// = wooden door on the front of your website
https:// = metal door with a lock
HSTS = sealed vault door
Now consider the value of your business, the purpose of your website and the type of door it needs.
Will adding HSTS help my SEO ranking? Yes. Aside from brownie points (Google and search engines naturally reward sites with higher levels of security), the safer a site the more they will rank you. In addition, it shaves time of your pageload speed by forcing loading over https regardless. Add that up over multiple data requests and your site will be natively faster loading.
Want to test to see how secure your site is? One simple (there are many) resource is https://securityheaders.com
A word of note: An A score doesn’t need to be the objective. Your site may not have content that requires all headers being covered (and therefore an A rating).