Comment 4 for bug 1278589

We shouldn't auto-detect as this opens the door for downgrade attacks.

The https-only use case does matter for some internal/OEM projects where they don't wish any traffic to ever go over http, so that's why I suggested both settings in the bug description.

I'm not entirely against having an https_only and http_only settings but then it gets confusing because you'll still need to set the ports to some value (even if they then get ignored) and you'll have to deal with the case where both _only are set to True ;)