Very few protocols fully or properly implement the entire 7 layer OSI stack. Most times you see layers 3-5 lumped together. The way that they are looking at it is that the application (a browser, something else?) is being used to generate HTTP requests. So while it's technical accurate to say that because a browser or other application is acting as an HTTP client, the attack itself it not at layer 7 because they are receiving the attachs on layers 3 and 4 on their side.

Where the article says "But layer 7 attacks, where the attacker actually connects to our hardware using TCP and makes apparently valid HTTP requests are another matter"

Those would be layers 3 and 4.

Mis-communication and outright wrong communication about layer 7 in networking has been rampant for years.

Someone stole my copy of Comer, so I'll have to go from memory, but HTTP would best correspond to layers 5-7 IIRC.

On the other hand it's stupid to use OSI layers when talking about the internet since the internet has its own, well defined, terminology for layers. In that case HTTP is clearly at the Application layer.

The layer of HTTP is either "layer 7" (OSI) or "application layer" (Internet Protocol Suite). The article would be correct to call HTTP either of those. "Layer 4" is incorrect terminology for HTTP (and is not even mentioned in the RFC you linked).