Another thing: You should probably go TLS-only. Set up a 301 redirect from HTTP to HTTPS, and set the Strict-Transport-Security header on all HTTPS responses.
It's very easy to do, and ensures all your users get maximal security. The future is encrypted.
This is pretty reasonable provided that you're not in danger of having to stop using HTTPS. For our personal blogs, that's probably fine (and hey, I should kick up the timeout on my HSTS header, thanks for the reminder). For a site that you're making for an employer or a customer, you should be certain that they're not going to want to move it over to a non-HTTPS-compatible web host for whatever reason. Most of the time you can be confident about this; sometimes you can't. Strict-Transport-Security is a promise to your viewers that for the next whatever time period you say, you're not going to change your mind about HTTPS.