I am designing my first GAE app and obviously need to use HTTPS for the login functionality (can’t be sending my User’s UIDs and passwords in cleartext!).

But I’m confused/nervous about how to handle requests after the initial login. The way I see it, I have 2 strategies:

• Use HTTPS for everything
• Switch back from HTTPS (for login) to plain ole’ HTTP

The first option is more secure, but might introduce performance overhead (?) and possibly send my service bill through the roof. The second option is quicker and easier, but less secure.

The other factor here is that this would be a “single-page app” (using GWT), and certain sections of the UI will be able to accept payment and will require the secure transmission of financial data. So some AJAX requests could be HTTP, but others must be HTTPS.

So I ask:

• GAE has a nifty table explaining incoming/outgoing bandwidth resources, but never concretely defines how much I/O bandwidth can be dedicated for HTTPS. Does anybody know the restrictions here? I’m planning on using “Billing Enabled” and paying a little bit for the app (and for higher resource limits).
• Is it possible to have a GWT/single-page app where some portions of the UI use HTTP while others utilize HTTPS? Or is it “all or nothing”?
• Is there any real performance overheard to utilizing an all-HTTPS strategy?

Understanding these will help me decide between a HTTP/S hybrid solution, or a pure HTTPS solution. Thanks in advance!