I have a site that works very well when everything is in HTTPS (authentication, web services etc). If I mix http and https it requires more coding (cross domain problems).

I don't seem to see many web sites that are entirely in HTTPS so I was wondering if it was a bad idea to go about it this way?

Edit: Site is to be hosted on Azure cloud where Bandwidth and CPU usage could be an issue...

EDIT 10 years later: The correct answer is now to use https only.

This question and especially the answers are OBSOLETE. This question should be tagged: <meta name="robots" content="noindex"> so that it no longer appears in search results.

To make THIS answer relevant:

1. Google is now penalizing website search rankings when they fail to use TLS/https. You will ALSO be penalized in rankings for duplicate content, so be careful to serve a page EITHER as http OR https BUT NEVER BOTH (Or use accurate canonical tags!)

2. Google is also aggressively indicating insecure connections which has a negative impact on conversions by frightening-off would-be users.

3. This is in pursuit of a TLS-only web/internet, which is a GOOD thing. TLS is not just about keeping your passwords secure — it's about keeping your entire world-facing environment secure and authentic.

4. The "performance penalty" myth is really just based on antiquated obsolete technology. This is a comparison that shows TLS being faster than HTTP (however it should be noted that page is also a comparison of encrypted HTTP/2 HTTPS vs Plaintext HTTP/1.1).

5. It is fairly easy and free to implement using LetsEncrypt if you don't already have a certificate in place.

6. If you DO have a certificate, then batten down the hatches and use HTTPS everywhere.

TL;DR, here in 2019 it is ideal to use TLS site-wide, and advisable to use HTTP/2 as well.

</soapbox>

you lose a lot of features with https (mainly related to performance)

• Proxies cannot cache pages
• You cannot use a reverse proxy for performance improvement
• You cannot host multiple domains on the same IP address
• Obviously, the encryption consumes CPU

Maybe that's no problem for you though, it really depends on the requirements

HTTPS decreases server throughput so may be a bad idea if your hardware can't cope with it. You might find this post useful. This paper (academic) also discusses the overhead of HTTPS.

If you have HTTP requests coming from a HTTPS page you'll force the user to confirm the loading of unsecure data. Annoying on some websites I use.

If you've no side effects then you are probably okay for now and might be happy not to create work where it is not needed.

However, there is little reason to encrypt all your traffic. Certainly login credentials or other sensitive data do. One the main things you would be losing out on is downstream caching. Your servers, the intermediate ISPs and users cannot cache the https. This may not be completely relevant as it reads that you are only providing services. However, it completely depends on your setup and whether there is opportunity for caching and if performance is an issue at all.

It is a good idea to use all-HTTPS - or at least provide knowledgeable users with the option for all-HTTPS.

If there are certain cases where HTTPS is completely useless and in those cases you find that performance is degraded, only then would you default to or permit non-HTTPS.

I hate running into pointlessly all-https sites that handle nothing that really requires encryption. Mainly because they all seem to be 10x slower than every other site I visit. Like most of the documentation pages on developer.mozilla.org will force you to view it with https, for no reason whatsoever, and it always takes long to load.