How is this considered even remotely good advice? I agree that you should definitely do all of the other things advocated by the author, but why <i>not</i> use HTTPS everywhere? Because of the risk of engendering a false belief that your site is secure?<p>This is a rant based on a flawed principle; that if you can't do it all, don't do any of it. If you don't use HTTPS, you will open yourself to <i>many</i> additional attack vectors. Why would any security professional give this advice? It makes no sense at all.