Add [RemoteRequireHttps] to your controller methods to require connections over HTTPS except when debugging locally.