This is a good point and the first I’ve heard it mentioned.
This was originally suggested because if you self host you can easily create a login page over HTTP if you do not specify an certificates.
But if you are hosting in IIS (or Azure for that matter), IIS provides the HTTPS authentication and proxies all the HTTP traffic back to UD so UD does not need a certificate configured at all. This is standard ASP.NET Core technology and is considered safe.
That said, the AllowHttpForLogin parameter is a misnomer. I’m open to suggestions on how to handle this. The easiest thing to do would be to rename it and leave an alias for the old name to prevent breaking people.
We could get sneaky and figure out if we are running in IIS and avoid the error message but thats a lot more work.