Let's provide an #isTransportSecure method to policies so they can determine whether transport security has been provided. For certain policies this is an extremely important precondition to providing security to clients.

For instance, an OAuth policy which passes its token over cleartext is liable to replay attacks (e.g. MITM captures the token). In those cases the token should be blacklisted and not honoured in any future requests (i.e. a new token should be issued and used over a TLS channel).

Another example would be basic auth, where it is generally inappropriate to use it over insecure channels where it may transit untrusted networks.

Generally this is something that I think should be configurable, but by required default. For instance, OAuth requires transport security by default, but you can explicitly turn that off that stipulation in the policy config.