: HTTPS can achieve three things: Authenticity. Making sure that you are communicating with the real domain owner. Confidentiality. Making sure that only this domain owner and you can read the

HTTPS can achieve three things:

Authenticity. Making sure that you are communicating with the real domain owner.
Confidentiality. Making sure that only this domain owner and you can read the communication.
Integrity. Making sure that the content doesn’t get modified by someone else.

Probably everyone agrees that HTTPS should be mandatory when transmitting secrets (like passwords, banking data etc.).

But there are several other cases where and why the use of HTTPS can be beneficial:

Attackers can’t tamper with requested content.

When using HTTP, eavesdroppers could manipulate the content your visitors see on your website. For example:

Including malware in the software you offer for download.
Censoring some of your content. Changing your expressions of opinion.
Injecting advertisements.
Replacing the data of your donations account with their own.

Of course this also applies to content sent by your users, for example wiki edits. However, if your users are anonymous, the attacker could "simulate" being a user anyway (unless the attacker is a bot and there is some effective CAPTCHA barrier).

Attackers can’t read requested content.

When using HTTP, eavesdroppers could know which pages/content on your host your visitors access. Although the content itself may be public, the knowledge that a specific person consumes it is problematic:

It opens an attack vector for social engineering.
It infringes privacy.
It can lead to surveillance and punishment (right up to imprisonment, torture, death).

Of course this also applies to content sent by your users, for example mails via a contact form.

All that said, simply offering HTTPS in addition to HTTP would only protect users that check (or locally enforce, e.g. with HSTS) that they are using it. Attackers could force all other visitors to use the (vulnerable) HTTP variant.

So if you come to the conclusion that you want to offer HTTPS, you might want to consider enforcing it (server-side redirect from HTTP to HTTPS, send HSTS header).