That depends what your website is. If it's for some commercial or sensitive thing then yeah, just HTTPS is okay. But if it's something of yours (and isn't just done to get you hired) then the downsides of HTTPS-only outweight the benefits. HTTP+HTTPS is perfect for human persons even if it's not for corporate persons.
You're basically making it so that people can only visit your site if a third party corporation wants to maintain an account with you. There are benign organizations like LetsEncrypt but it still means giving up control to an entity that will eventually go bad. Just look at what happened to dot Org.
And of course you prevent even moderately old systems from interacting with your web server. Depending on your accepted TLS cypher set you're probably excluding software from as late as 2017 by going HTTPs only.
It's like wearing level 3 body armor when you go out to the park to walk to the dog. There are some people who have lives where that's necessary, but it really isn't for most. And the downsides outweigh the admittedly very safe protection.
> You're basically making it so that people can only visit your site if a third party corporation wants to maintain an account with you.
I don’t know about you but people can only visit my site if a “third party” maintains an account with me… and that third party is my ISP.
The web, even self hosted sites, isn’t some direct person to person contact network. It relies on a wealth of protocols and a community backing it.
Now to be fair, I do upgrade everyone but I don’t do so because of security concerns.I do it because the protocol inconsistency occasionally shows up in my logs, and sometimes browsers block APIs based on if you are HTTPS or not. It’s be nice if they didn’t but browsers are yet another third party in between my severs and my end user.
You're basically making it so that people can only visit your site if a third party corporation wants to maintain an account with you. There are benign organizations like LetsEncrypt but it still means giving up control to an entity that will eventually go bad. Just look at what happened to dot Org.
And of course you prevent even moderately old systems from interacting with your web server. Depending on your accepted TLS cypher set you're probably excluding software from as late as 2017 by going HTTPs only.
It's like wearing level 3 body armor when you go out to the park to walk to the dog. There are some people who have lives where that's necessary, but it really isn't for most. And the downsides outweigh the admittedly very safe protection.