Oh yeah fair point, the HTTPS-ness of the first step is a helpful backstop