Hi all! Great questions and conversation here. I have some more info that I think will help.
We respond over both HTTP and HTTPS for all sites. Some users put proxies, like Cloudflare, in front of their site, but this means we can’t downgrade from HTTPS to HTTP. This is because HTTPS might work, but we don’t know that at our end. If a user (or tool) explicitly requests HTTPS, we’ll serve it with whatever cert we have, but only if the user requests it.
Enforcement is specifically about redirecting HTTP to HTTPS. When not enabled, we don’t redirect, but still serve HTTPS.
Having said all that, this particular issue isn’t really a bug, because to us, the visitor is explicitly asking for HTTPS.
As mentioned above, if you’re unable to hard-code HTTP, adding Cloudflare in front of your site can allow you to support HTTPS.
HTTPS for custom domains is one of our most frequent features requests, and I can tell you that it’s something we’re working on (though I can’t specify a timeline for that).
I hope this helps!