Require HTTPS

[RealOrangeOne]

HTTPS is now required for API access, too.

Sadly, there's no way to have S3 redirect to HTTPS instead. Chances are, S3 is running behind some kind of proxy for serving files, which itself would handle the redirect.

[tomusher]

This looks good in theory to me. The only doubt I have is whether this tool needs to support the 'No' option. It adds more steps to the setup and is not something I can see Torchbox (as the main package users) needing much.
I'd lean towards making it a default without the prompt - but happy if you want to merge as-is.

[RealOrangeOne]

whether this tool needs to support the 'No' option

I think it needs to. The HTTPS handling doesn't do a redirect, which means for sites which use the S3 URL directly may not work. I'm not sure if the S3 does HSTS preload for its URLs, but it feels like too big of a risk.

[RealOrangeOne]

From discussion, I've enforced HTTPS. Most users should be using HTTPS, and if a user isn't, that's a problem in itself worthy of investigating.

[tomusher]

Looks good to me!