On this ticket
We have not yet adopted an implementation standard for the range of Web services that the project will offer.
This RFC recommends that DM adopt a policy that, in the absence of a specific technical justification and acceptance by the LSST ISO (at least), all Web services exposed to users and the public Internet should be https: services.
By way of example, this would by default include the DAX VO and other LSST-specific REST services, the SUIT "Portal aspect" Web pages and associated Web APIs, and the "Notebook aspect" JupyterHub/JupyterLab services.
The expectation that the LSR and OSS requirements to implement data access policies limiting data access to identified rights holders will require all, or nearly all, data access to be authenticated provides a strong technical justification for this policy (though this is not precisely mandatory from a technical perspective).
In addition, it appears to be appropriate "technical best practice" in the current Internet environment, in the absence of good reasons to do otherwise.
We do specifically contemplate the possibility of justified exceptions - this RFC is only about setting a default.
If this RFC passes within DM, I would advocate that we proceed to elevate it to a project-wide design standard via the normal change control process. DM's systems engineering group, and then the project SE group, should consider whether to treat this as a requirement or as a design rule under change control but not in the requirements hierarchy (though it might still be expressed in component-level requirements for concreteness).