recommend that the user portal uri be https

[klarose]

We never talked about TLS for the user portal. Add a bit of language related to that.

Fixes #90

To discuss:

• Should this be a MUST? Existing solutions often don't use https, but that may not be a good reason to loosen the requirement.
• Have I properly mentioned the URI scheme as being https? Do we even need to do that? I'm trying to put a requirement on the API that it provide a URI that lends itself to tls-based communication, which is why I took that approach.

[klarose]

@martinthomson using MUST makes sense. I've taken your suggestion.