How to allow HTTPS-only sites while denying HTTP sites in explicit mode