The first lesson in cybersecurity (and I would imagine in real physical security as well) is that "protect your [asset]" is not well defined in a vacuum. You need to develop a <i>threat model</i> before you can sanely ask any questions about what actions you do or don't need to take.<p>HTTPS protects against <i>one</i> specific scenario: a third party is intercepting the communication. So it protects your users against those third parties (who might never forward the request to your site, and instead pretend to be your site; or they might spy on what they say to you or what you say back to them).<p>It does <i>not</i> protect against malicious <i>users</i> trying to hack your site directly, in any number of ways. Nor does it protect against people trying to hack into your server directly (bypassing the site entirely, although they might have the purpose of damaging your site). And it <i>definitely</i> doesn't protect against people trying to trick your users off-site, for example by sending them an email pretending to be from you.