It seems I misunderstood what you meant.

You weren’t saying “the site has no JavaScript,” you were saying “I’m not allowing JS over an insecure connection.” Got it.

Just miscommunication my friend. I am not pushing back against your claims. It is not my site to defend.

Not sure what you mean. If there’s no JavaScript, there’s no malicious scripts then… would need to be JavaScript or some other script for it to be malicious… otherwise it’s just a static website… don’t throw out buzz words

It’s not my website so I can’t add https. Run it in a sandbox if you’re so concerned.