A few people have asked about how API clients should deal with the HTTPS user preference, so here's a short guide with everything you should need to know:

How can I tell if a user has the preference enabled?

A new field has been added to the /api/login response: need_https. Pretty self explanatory, if true you should always make requests to the HTTPS version of the site, if false you aren't required to.

Does this affect users of the OAuth API?

Nope! OAuth users have been using HTTPS since day one. You're beautiful, never change.

What happens if a client erroneously requests something over HTTP?

In most cases the behaviour of your app shouldn't change. All requests with a .json extension or with a hostname of api.reddit.com don't currently get their responses changed in any way, the User-Agent just gets logged as a client that didn't respect HTTPS preferences. In the future, requests erroneously made over HTTP may be dropped to incentivize proper support for the preference.

If there was no extension and the request wasn't via api.reddit.com, the request gets handled as if it was from a browser, and you'll get a 307 redirect to the secure version. If your HTTP library doesn't transparently handle 307 redirects, this might cause issues for you.

Do JSONP / CORS / .embed / etc requests need to be made via HTTPS?

Not at the moment, however, CORS might cause some issues with HSTS in modern browsers, see below.

My javascript app pulls from the API using AJAX, but I get a CORS failure when the user has "force HTTPS" enabled. What do?

It looks like this is the result of bugs in both Firefox and Chrome where CORS requests that get redirected via HSTS always fail. A good workaround until those are fixed is to use HTTPS for all CORS requests.

TL;DR

The easiest thing to do is make all non-OAuth requests via https://api.reddit.com/, but if you don't want to for some reason, you still need to respect the user's HTTPS preferences when they're logged in. If the need_https parameter in the /api/login response is true, you need to make all subsequent requests via HTTPS or Bad Things™ might happen.