default disallow HTTP
Would it be prudent to disallow HTTP by default requiring user to explicitly consent by ticking a box or two?
ref: inherent insecurity of HTTP. Your user's traffic is not encrypted if Z-XMPP is used over HTTP. Use only HTTPS wherever you implement Z-XMPP, or make sure your users are aware that they are using an insecure communications channel.