Official downloads for the Jenkins binaries are served over plain HTTP. This is a security vulnerability, as any binaries being downloaded can easily be modified on-the-fly to inject malicious code. As Jenkins itself often has access to sensitive information, this presents a serious security vulnerability, especially for those who install and deploy Jenkins automatically.

Since it's now 2015, and we know that these attacks actively happen in the wild by all sorts of nefarious types, it's probably time to change this.

Fortunately, the fix is a simple! Just add a rewrite rule to replace all http:// requests to *.jenkins-ci.org and jenkins-ci.org to their respective https:// equivalents in your HTTP server, and then enable HSTS.