Default rules to off (or partial marked) for less than 100% https sites
Assuming a goal of HTTPS-E is to avoid exposing the general user to much risk, let us not enable by default rulesets which do not offer 100% encryption coverage of a site experience.
A happy pretty green checkmark by a ruleset seems to imply that...
- authentication login tokens are safe
- session info (cookie, SID, etc) is safe
- content is safe
Yet some rulesets are happy green pretty when no such guarantee is provided by said rules. Not to mention exposing fallback can occur when rule breaks since there is currently no 'do not fallback' option.
So default them off, or deploy another indicator for them.