[ryanisnan]

Other than the notion that all traffic should be served over HTTPs, if you have purely static site, why the big fuss?

[thethirdone]

Without HTTPs links could be replaced and executable file downloads could be replaced with malware.

[ryanisnan]

Right, I wasn't thinking about mitm concerns.

[woogley]

There are plenty of reasons even beyond privacy and MITM content changes. Supposedly HTTPS is better for SEO and also there are browser APIs[1] that only work in HTTPS context

[1]: https://developer.mozilla.org/en-US/docs/Web/Security/Secure...

[ryanisnan]

If you're building an application that requires the uses of these APIs, I'd hardly call that a static site, but maybe that's just me.

[thethirdone]

Static site generally just refers to the server serving static files.

I have several simple games hosted on Github Pages using the storage API which is on that list.

[Avamander]

HTTP/2 is one of those things that only works over HTTPS so it can absolutely be a static site being served over it.

[ummonk]

You can enable HSTS preload and prevent spoofing.

[dumboluzz]

people sniffing on what kind of static content you are consuming. think public unsecured wifis or sensitive material.

[ryanisnan]

True. I suppose for many types of content that could be a legitimate concern.