One thing that bothers me is that I cannot reliably (as in "in a generic way which always works") prevent users from sending their authentication unencrypted. The only ideas I have to tackle this without modifying zope itself are - customize all pages which need authentication to check for "https://" in one of the relevant REQUEST attributes and do a redirect if not. - use apache with some magic to trigger redirection if it encounters authentication headers in the request. - use apache with some rewrite magic trigger redirection when a substring like "manage" is found in the request. These alternatives are neither elegant, nor really secure. So I have skimmed through zope's (2.5.1) source and wonder if modifying HTTPResponse could work: Change def _unauthorized(self): realm=self.realm if realm: self.setHeader('WWW-Authenticate', 'basic realm="%s"' % realm, 1) to def _unauthorized(self): if spam[0:5] == 'https': # I wish I would know what to put here realm=self.realm if realm: self.setHeader('WWW-Authenticate', 'basic realm="%s"' % realm, 1) else: self.redirect('https:' + spam[4:],lock=1) # or should we use setHeader? My questions: Is _unauthorized always called when authorization is needed, or are there more points which might set that header? Can I get at the information I need to know if the request was via https at this point (i.e. the spam thing) or is there a better place in zope to do something I described? Will redirection work here or might something overwrite the headers later on? Is it possible to implement this via a monkey patch (or whatever this is called)? Thanks, oliver