Allow configuration to require HTTPS login

[alanhogan]

LM 2.4.0 allowed HTTPS-only cookies but you can still log in on HTTP if your server is flexible, which many would be given http:// short URLs.

We should allow forcing HTTPS logins

[alanhogan]

Planned implementation:

1. Introduce a new constant, something like REQUIRE_HTTPS_TO_SHRINK_OR_MANAGE
2. Any API or web UI requests — that is, anything that hits /-/index.php today — would fail with a 400 BAD REQUEST error and an error page or error message (depending on whether it is via web UI or API) stating that HTTPS is required.

This would be preferred over a 301 or other redirection because a redirection does not let the user know that they have potentially leaked their API key in plaintext, etc.

Of course, the downside is that old integrations & bookmarks will break. This should be combatted with appropriate warnings on the upgrade.