Sure, the web is assumed to be SSL wrapped these days, but little lightweight protocols like this absolutely don't need that overhead. I don't even have a website on that domain right now, I set up Apache entirely to service my NIP-05 identifier. I feel like NIP-05 should be able to work over either protocol... Consider the day when Nostr clients are doing hundreds if not thousands of these verification requests constantly. If it's on a domain with a legit website and other services, sure, go SSL. But if not, why add all the overhead?

To be even more lightweight, I could have written a little script that listens on port 80 and only spits out this one URL with the appropriate HTTP header for CORS. No webserver required, no encryption, super lightweight.