You don't need to turn off STP, usually it's enough to set the forward delay to a very small value ("port fast" in cisco commands). If there is a loop, the port will usually still detect it, you at the most get a handful of multiplied packets.

And all the "http boot" firmware I've seen either always ignores certificate errors or doesn't do TLS anyways.