Mike.Sheen wrote:SBarnes wrote:but what if something needs to stay on http?
Then that something can't participate on the internet.
We allow non HTTPS only for the ease of development and testing, but really in this day and age if anything can't do HTTPS then they might as well pack up their things and go home.
Probably correct and as for all routes loading you could always get around that not only with the ability to allow and deny routes at the user level but you could always have extra insurance by a request filter as an option as well to look at incoming ips, port, routes etc. so nothing slipped through.