Note to those reading Moxie's comment that if you don't enable HSTS, and do have resources that reasonably require TLS (like a login page), and you get audited by a 3rd party (like because an enterprise customer requires it), the auditor will ding you.

HSTS: Not really optional in 2013.