While enforcing HTTPS has become a web security best practice since Let's Encrypt made certificates free in 2016, some websites deliberately keep TLS optional. This appears counterintuitive when major browsers display "Not Secure" warnings for HTTP sites.

// Example of HTTP 301 redirect in Nginx
server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

Many enterprise environments still run legacy applications that:

• Rely on HTTP for internal service communication
• Use outdated libraries without TLS 1.2+ support
• Have hardcoded HTTP URLs in firmware/embedded systems

Enforcing HTTPS while allowing HTTP creates security theater. Consider this common anti-pattern:

<!-- Insecure resource loading despite HTTPS page -->
<script src="http://cdn.example.com/library.js"></script>

TLS handshakes add latency, particularly for:

• High-volume API endpoints (mobile apps may prefer HTTP for polling)
• CDN edge cases where TCP fast open isn't available
• Low-power IoT devices with limited crypto acceleration

HTTP remains valuable for:

# Testing with curl without cert verification
curl -v http://api.example.com/debug

# Protocol analysis
tcpdump -i eth0 port 80 -w traffic.pcap

Your approach with long-duration HSTS headers (max-age=63072000) is correct for most public websites. The only potential negatives:

• Breaking ancient browsers (IE6, Android 2.3)
• Complications during certificate outages
• Needing careful planning for subdomain migrations

Consider these real-world examples where HTTPS remains optional:

1. Local network devices (printers, IP cameras)
2. Scientific research sites with large binary downloads
3. Legacy API endpoints with client whitelisting

For modern web applications, this Apache config shows ideal TLS enforcement:

<VirtualHost *:80>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

The maintainer's stance reflects either technical debt or specific use cases requiring HTTP fallback. In 2024, optional HTTPS should be the exception rather than the rule.

While HTTPS has become the web security standard, some legitimate technical scenarios exist where strict enforcement may not be ideal:

// Example: Mixed content handling in legacy systems
if (legacySystemRequiresHttp()) {
  // Allow HTTP fallback for specific endpoints
  app.use('/api/legacy', allowHttpMiddleware);
} else {
  // Enforce HTTPS for all other routes
  app.use(httpsEnforcementMiddleware);
}

1. Embedded/IoT Devices with limited computing power may struggle with TLS handshakes. Some industrial equipment still relies on HTTP for sensor data collection.

2. Local Network Services running on LAN might not benefit from HTTPS when external access is already firewalled.

TLS adds latency:

• Additional RTTs during handshake
• CPU overhead for encryption/decryption
• Certificate validation time

// Node.js performance measurement example
console.time('HTTPS Request');
https.get('https://example.com', () => {
  console.timeEnd('HTTPS Request');
});

console.time('HTTP Request');
http.get('http://example.com', () => {
  console.timeEnd('HTTP Request');
});

For most websites today, HTTPS should be mandatory. The proper implementation includes:

# Nginx configuration for HTTPS enforcement
server {
  listen 80;
  server_name example.com;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl http2;
  # SSL configuration...
}

The only exceptions should be:

• Internal development environments
• Specialized hardware constraints
• Temporary migration periods

When making the decision, consider: